The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 71

Tuesday 23 June 2009

Contents

Metro train fatal accident -- too much automation?
Joe Thompson
Air France crash and computers?
Steven M. Bellovin
Electronic health record systems fails; ambulances turned away from hospital
Dale Hawkins
Demolition: GPS vs Address; Well, we were close...
David Lesher
Shoreline music-food event fiasco: electronic pay system fails
PGN
Green Dam Youth Escort
PGN
China dominates NSA-backed coding contest
Eugene H. Spafford
Electricity Industry to Scan Grid for Spies
Danny Burstein
Google Street View functions as CCTV
Mark Brader
Smart electric meter risks; disastrous GPS misuse
Nicky L Sizemore
Copier short-changes users
Matt Bishop
GM & Segway to make 2-wheeled car
Paul Czyzewski
Another High-Tech Accident?
Gene Wirchenko
Reducing Risks of Implantable Medical Devices
Kevin Fu
Woman Gets Others' Medical Records In Mail
Adolphius St. Clair
Bozeman asking job applicants for their userid/password
Arthur T.
Risks of copyright lobbyists hiring someone to plagiarize PR spin
Kelly Bert Manning
A new way to lose money via ATM...
David Lesher
Re: Security through obscurity
Steven M. Bellovin
REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz
Rob Slade
Info on RISKS (comp.risks)

Metro train fatal accident -- too much automation?

Joe Thompson <joe@orion-com.com>
Tue, 23 Jun 2009 12:22:59 -0400

Though a definite determination has not been made yet, some preliminary
reports of the DC Metro crash suggest a combination of automated control
failure and failure by the operator to apply emergency braking.  If borne
out, this could be the second Metro crash to be attributed at least
partially to driver inattention (along with the 2004 rollback crash).

I wonder if some of our systems have gotten *too* automated.  During normal
operation, Metro trains apparently move and stop fully automatically.  In
such a mode, it's easy to allow oneself the luxury of distractions, but even
in the absence of that, it's also easy to fall into "highway hypnosis".  The
first thing that comes to mind is making operators do some sort of constant
but non-repetitive task to stay alert, but that just moves the problem back
to "distraction".

What is the status of research, I wonder, into keeping human backups to
automated systems alert and awake without occluding their attention in case
of a genuine issue? -- Joe


Air France crash and computers?

"Steven M. Bellovin" <smb@cs.columbia.edu>
Thu, 4 Jun 2009 18:02:33 -0400

Could a Computer Glitch Have Brought Down Air France 447?
Jeffrey T. Iverson, *Time*, 5 Jun 2009
http://www.time.com/time/world/article/0,8599,1902907,00.html

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

  [Several electrical systems in the Airbus 330 reported breaking down just
  before the crash, and the autopilot apparently disengaged.  The
  investigation is ongoing.  PGN]


Electronic health record systems fails; ambulances turned away from

Hawkins Dale <hawkins@pobox.com>
Thu, 04 Jun 2009 11:30:08 -0400
 hospital

Aaaaargh!

From the Indianapolis Star  (via Slashdot)
http://www.indystar.com/apps/pbcs.dll/article?AID=/20090603/LOCAL18/906030346

Hospital is forced to turn away patients

Methodist Hospital went "on diversion" early Tuesday for the first time in
its 100-plus years, sending ambulances that came to its doors to other
hospitals.

A power surge knocked out Clarian Health's computer system Monday afternoon,
derailing the hospitals' ability to access electronic health records for
patients, said Clarian spokesman James Wide. Staff members at Methodist and
Indiana University Hospital had to enter patients' records by hand.

By about 1 a.m. Tuesday, a backlog of paperwork led Methodist and IU
hospitals to stop accepting patients who arrived by ambulance. Walk-in
patients were still accepted.


Demolition: GPS vs Address; Well, we were close...

"David Lesher" <wb8foz@panix.com>
Mon, 15 Jun 2009 19:29:15 -0400 (EDT)

A Sandy Springs man got a phone call Monday that his family home in Carroll
County [GA] was gone. Torn down. Demolished. ...  Channel 2 Action News
reporter Jovita Moore asked Byrd if the demolition company had an address.
I said, "What address did you have?" and he said, "They sent me some GPS
coordinates." I said, "Don't you have an address?" (and) he said, "Yes, my
GPS coordinates led me right to this address here and this house was
described." said Byrd.  <http://www.wsbtv.com/news/19715994/detail.html>


Shoreline music-food event fiasco: electronic pay system fails

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 23 Jun 2009 9:24:41 PDT

On 13 Jun 2009, the first Great American Food and Music Fest at the
Shoreline Amphitheatre in Mountain View CA (reportedly with some top-price
tickets at $500) used an electronic bracelet payment system for food that
"came down with a bad case of indigestion".  The system collapsed, causing
up to five-hour waits in food lines.  [Source: Lisa Fernandez, San Jose
Mercury, 16 June 2009]


Green Dam Youth Escort

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 23 Jun 2009 9:30:12 PDT

As of 1 July, all PCs sold in China must have the Green Dam Youth Escort
software that is intended to filter out porn.  However, that software has
serious security flaws (http://www.cse.umich.edu/~jhalderm/pub/gd/) and also
allegedly violates open-source licensing.  [Sources: Andrew Jacobs, China
Criticized Over Computer Filtering Plan, *The New York Times*, 10 Jun 2009
http://www.nytimes.com/2009/06/11/business/global/11censor.html?_r=1 and
Edward Wong, China Orders Fixes in Censoring Software, *The New York Times*,
16 Jun 2009; PGN-ed.  Mere mention of this here may also result in RISKS
being blacklisted in China -- if it is not already.  Also, the ability to
violate privacy, and for anyone -- not just the Chinese government -- to
remotely alter the software for surreptitious purposes including
surveillance might turn it into Green Damn-Youth Escort or even the Green
Youth Damned Escort Service.  PGN]


China dominates NSA-backed coding contest

"Eugene H. Spafford" <spaf@mac.com>
June 10, 2009 10:49:30 AM EDT

Programmers from China and Russia have dominated an international
competition on everything from writing algorithms to designing components.

Whether the outcome of this competition is another sign that math and
science education in the U.S. needs improvement may spur debate. But the
fact remains: Of 70 finalists, 20 were from China, 10 from Russia and two
from the U.S....

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=development&articleId=9134122


Electricity Industry to Scan Grid for Spies

danny burstein <dannyb@panix.com>
Thu, 18 Jun 2009 00:21:56 -0400 (EDT)

The electric-utility industry is planning a pilot initiative to see whether
Chinese spies have infiltrated computer networks running the power grid,
according to people familiar with the effort.

Officials of the North American Electric Reliability Corp., an industry
regulatory group, are negotiating with a defense contractor for the job of
searching for breaches by cyberspies, according to people familiar with the
plans.  [Wall Street Journal]

rest:
http://online.wsj.com/article/SB124528065956425189.html#mod=testMod


Google Street View functions as CCTV

Mark Brader
Sun, 21 Jun 2009 06:55:03 -0400 (EDT)

* From: John Hatpin <RemoveThisjfhopkin@gmailAndThisToo.com>
* Newsgroups: alt.fan.cecil-adams
* Subject: Google CCTV
* Date: Sun, 21 Jun 2009 11:41:54 +0100
* Xref: number.nntp.dca.giganews.com alt.fan.cecil-adams:1611995

Google Street View functions as CCTV
http://www.theregister.co.uk/2009/06/19/street_view_mugging/

Now, what are the chances of that happening, eh?  Normally, to get a result
like that, you'd pretty much need cameras on every .... oh, never mind.

John Hatpin  http://uninformedcomment.wordpress.com/


Smart electric meter risks; disastrous GPS misuse

"Sizemore, Nicky L CTR DISA JITC" <NICKY.SIZEMORE.ctr@disa.mil>
Mon, 15 Jun 2009 11:38:14 -0700

Two highly risks-relevant stories from 'The Register':

Smart electric meter risks: This one to be reported at the upcoming Black
Hat conference:
http://www.theregister.co.uk/2009/06/12/smart_grid_security_risks/.

Apparent gross GPS misuse: This one reported with minimal detail and only a
URL, but sounds worthy of tracking down...
http://www.theregister.co.uk/2009/06/15/gps_house_flattening/

...some substantiation from WSB Atlanta at...
http://www.wsbtv.com/news/19715994/detail.html

...and ABCNews at.  Many other google hits, but most are brief and obviously
derivative.
http://abcnews.go.com/Business/story?id=7823594&page=1

  [These are left as an exercise for the reader.  I don't have time to
  abstract.  Also, sorry for the long gap between issues.  PGN]


Copier short-changes users

Matt Bishop <bishop@cs.ucdavis.edu>
Tue, 09 Jun 2009 05:28:04 -0700

I gave a midterm in an introductory programming class this term.  The class
has 90 people.  I wrote the midterm, and asked the office staff to make 100
copies (just to be sure I had enough).  I picked them up a day before the
exam.

When I got to the class, I passed out the midterms.  I ran out of copies
after passing out 75 -- that means 15 people didn't have one.   So I had to
cancel the midterm, and write a completely new one.

When I reported the discrepancy, the office staff was quite upset and
investigated.  It turned out that the counter on the copier was
malfunctioning and reporting more copies than were actually made.

Moral of the story: always count the number of copies that a copier tells
you it makes!

  [Nasty problem if the copier is rented and usage costs are based on what
  the counter says!  I suppose a malicious bug would give you the correct
  number of copies, but charge for 33% more.  PGN]


GM & Segway to make 2-wheeled car

Paul Czyzewski <tallpaul@gmail.com>
Tue, 2 Jun 2009 11:24:03 -0700

  [This is an old item that somehow got lost in the shuffle, even
  with the "notsp" tag in the subject line.  PGN]

GM, Segway think 2 wheels, Associated Press, 7 Apr 2009
http://www.latimes.com/business/la-fi-gm-segway7-2009apr07,0,2638670.story

The companies plan to develop a two-wheeled, two-seat electric vehicle as a
clean, safe and inexpensive alternative to traditional cars ...  The
companies plan to announce today that they are developing a two-wheeled,
two-seat electric vehicle designed to be a safe, inexpensive and clean
alternative to traditional cars for cities across the world.  The companies
said their project, dubbed PUMA, for Personal Urban Mobility and
Accessibility, would include a communications network allowing vehicles to
interact with one another to regulate traffic flow and prevent crashes.  ...

[paul:  okay, here's the kicker.  Emphasis added:]

*Because it would be designed to automatically avoid obstacles such as
pedestrians and other cars, the PUMA vehicle
  ***** would not need air bags **** and
  **** would have safety belts for "comfort purposes" only, ******
said Larry Burns, GM's vice president of research, development and strategic
planning.

[and, yes, I did check to make sure that the story was not dated April 1.
Paul Czyzewski]


Another High-Tech Accident?

Gene Wirchenko <genew@ocis.net>
Sat, 13 Jun 2009 13:37:44 -0700

The URL summarises the article well:

http://www.upi.com/Odd_News/2009/06/01/Man-jogs-into-tree-while-using-Twitter/UPI-68651243891045/


Reducing Risks of Implantable Medical Devices

Kevin Fu <kevinfu@cs.umass.edu>
Mon, 22 Jun 2009 01:46:03 -0400

  [I asked Kevin to submit a note on his CACM Inside Risks column this
  month, on improving security and privacy for Implantable Medical Devices
  (IMDs).  It is a very timely column.  PGN]

Millions of patients benefit from programmable, implantable medical devices
(IMDs) that treat chronic ailments such as cardiac arrhythmia, diabetes, and
Parkinson's disease with various combinations of electrical therapy and drug
infusion.  Modern IMDs rely on radio communication for diagnostic and
therapeutic functions---allowing healthcare providers to remotely monitor
patients' vital signs via the Web and to give continuous rather than
periodic care.  However, the convergence of medicine with radio
communication and Internet connectivity exposes these devices not only to
safety and effectiveness risks, but also to security and privacy risks.  The
column explains the impact of these risks on patient care, and makes
recommendations for legislation, regulation, and technology to improve
security and privacy of IMDs.

The full text appears on:
http://www.csl.sri.com/users/neumann/insiderisks08.html#218
and on ACM's portal.acm.org website as well.


Woman Gets Others' Medical Records In Mail

"Adolphius St. Clair" <nermal1@earthlink.net>
Sat, 20 Jun 2009 09:32:22 -0400

Anyone out there guess what corrective action Blue Cross - Blue Shield would
have taken to correct this screw-up if this person had not gone to the news?

A Seminole County FL woman expecting a new insurance card from Blue
Cross/Blue Shield received a box with hundreds of private medical records
for other people.  [WFTV, 19 Jun 2009]
http://www.wftv.com/news/19804431/detail.html


Bozeman asking job applicants for their userid/password

"Arthur T." <risk200906.10.atsjbt@xoxy.net>
Sat, 20 Jun 2009 14:39:07 -0400

Bozeman, Montana has a job application form that asks: "Please list any and
all, current personal or business websites, web pages or memberships on any
Internet-based chat rooms, social clubs or forums, to include, but not
limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." There are
column headings for Username and Password.  Despite what's been written,
there is no indication in the form that it's not mandatory.
<http://www.bozeman.net/bozeman/humanResource/forms/Background_Check_Form_Interview_MASTER.pdf>

There has been much written about this. Most of it attacks the requirement
on ethical and privacy issues, but there is another point that I've seen
less often. It is against most sites' Terms of Service to give your password
to anyone, and it's against most sites' TOS to attempt to access the site
with someone else's userid. If you recall, Lori Drew was convicted in
federal court of violating the MySpace TOS in the cyberbullying case.

It seems to me that if city personnel actually used any of the passwords,
they could be indicted on the same charges, as could the applicants who
supplied the passwords.

Once the public flap started, I'm surprised that Bozeman didn't take the
easy way out by saying that they never planned to use the information. It's
just that anyone who supplied their userids and passwords was automatically
disqualified for lack of sufficient intelligence.


Risks of copyright lobbyists hiring someone to plagiarize PR spin

Kelly Bert Manning <bo774@freenet.carleton.ca>
Sun, 07 Jun 2009 21:04:39 -0700

It isn't just students who need to worry about plagiarized content being
revealed when they submit their papers.

It has recently been revealed that 3 "independent" Conference Board of
Canada "research" reports submitted to legislators and recommending
increased copyright protection were found to contain large sections of word
for word boilerplate text copied, without acknowledgment or attribution,
from the funding lobby group's own PR Spin material on the issue.

This wasn't a case of copying without permission or knowledge of the
copyright holder. It appears to be an embarrassing case of the copyright
holder trying to give their own questionable claims a credibility boost by
having "independent" researcher's names used in place of their own name.

Ironic, eh!

http://www.michaelgeist.ca/content/view/62/128/
http://www.michaelgeist.ca/content/view/4009/125/
Conference Board Recalls All Three IP Reports
The Conference Board of Canada has just announced that it is
recalling all three IP reports that it issued last week.  It says that
"an internal review has determined that these reports did not follow the
high quality research standards of The Conference Board of Canada."

Update: Jesse Brown interviewed Anne Golden, CEO of the Conference Board of
Canada.  Golden admits that the digital economy report was plagiarised.

Update II: Media coverage of the Conference Board pulling the reports from
the CBC, Vancouver Sun, Montreal Gazette, Macleans, Mediacaster, Techdirt,
and the Georgia Straight."

The Conference Board at first "stood by" all 3 submissions, but is now in
full retreat and asking former staff researchers for "help".

Some former researchers whose names were left attached to what became in
large part a word for word repeat of lobbyist material are seeking to have
their names disassociated from the plagiarised work.

Independent research work which contradicted the lobbyist claims was
removed, but the researcher's names were somehow left on as authors of a
work they do not wish to have their names associated with.

One researcher listed as an author of the reports, who is seeking to have
[his/her] name removed from the plagiarism tainted documents, gives reasons
such as:
  "The Conference Board asks for my help but won't acknowledge that it was
  wrong to put my name on reports that bear little resemblance to the
  original research I submitted, were substantially reworked, and were
  published ten months after I resigned."

http://www.techdirt.com/articles/20090603/0733135109.shtml
Former Conference Board Author Explains How Lobbyists Influenced
Plagiarized Reports

http://www.michaelgeist.ca/content/view/4025/125/
Ex-Conference Board Author Speaks Out; Confirms "Push Back" From
Copyright Lobby Funders

http://www.p2pnet.net/story/22321
Conference Board denies Geist allegations

http://www.calgaryherald.com/Clients+dictated+think+tank+research+Former+employee/1659760/story.html
Clients dictated think-tank research: Former employee

Copyright lobbyists seeking to extend protection have previously learned to
be careful what they ask for.

USA provisions for making the copyright period longer allowed the original
owner, or their heirs, to have the copyright reassigned to them for the
extended period of protection, since the price paid for transferring the
copyright was based on the original copyright period length. The widow and
daughter of one of the originators of "Superman" retrieved their half of the
copyright, after a marathon of litigation.  An heir of the other creator is
also talking to Lawyers.


A new way to lose money via ATM...

"David Lesher" <wb8foz@panix.com>
Tue, 23 Jun 2009 13:12:09 -0400 (EDT)

Paul Marks, Cash machines hacked to spew out card details,
*New Scientist*, 17 June 2009
<http://www.newscientist.com/article/mg20227135.700-cash-machines-hacked-to-spew-out-card-details.html>

After months poring over the Windows-based software in the bank's ATMs,
Henwood and his team were astonished. They found a 50-kilobyte piece of
malware disguised as a legitimate Windows program called lsass.exe. {..}

This is a clever choice of camouflage, says SpiderLabs' forensics manager
Stephen Venter: to an IT staffer, lsass.exe doesn't look out of place in a
Windows system, so routine checks wouldn't necessarily pick it up. Yet it
has no useful function in an ATM. {...}

Equally ingenious is how the crooks harvest their stolen data - by using the
ATM's receipt printer. Inserting a trigger card into the machine's slot
causes the malware to launch a small window on the screen, with a variety of
options. The first is to print out a list of all recently used cards. The
data on the printout is encrypted, so crime bosses could enlist low-level
accomplices to visit ATMs to retrieve the printouts, safe in the knowledge
that they cannot use the data to clone cards themselves.

Comment:
And yet companies build both ATM's and voting machines based on Windows....


Re: Security through obscurity (MacIntyre, RISKS-25.69)

"Steven M. Bellovin" <smb@cs.columbia.edu>
Sat, 6 Jun 2009 22:21:01 -0400

The subject of security through obscurity comes up frequently.  I think
a lot of the debate happens because people misunderstand the issue.

It helps, I think, to go back to Kerckhoffs' second principle, translated as
"The system must not require secrecy and can be stolen by the enemy without
causing trouble", per http://petitcolas.net/fabien/kerckhoffs/).  Kerckhoffs
said neither "publish everything" nor "keep everything secret"; rather, he
said that the system should still be secure *even if the enemy has a copy*.

In other words -- design your system assuming that your opponents know it in
detail.  (A former official at NSA's National Computer Security Center told
me that the standard assumption there was that serial number 1 of any new
device was delivered to the Kremlin.)  After that, though, there's nothing
wrong with trying to keep it secret -- it's another hurdle factor the enemy
has to overcome.  (One obstacle the British ran into when attacking the
German Engima system was simple: they didn't know the unkeyed mapping
between keyboard keys and the input to the rotor array.)  But -- *don't rely
on secrecy*.

Steve Bellovin, http://www.cs.columbia.edu/~smb

  [The peticolas website is very helpful.  Check it out!  Steve included
  the original quote in French, but I could not make it look correct. PGN]


REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz

Rob Slade <rmslade@shaw.ca>
Mon, 8 Jun 2009 11:19:34 -0800

BKZRDYTH.RVW   20090120

"Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5,
U$19.95/C$21.95
%A   Byron Acohido
%A   Jon Swartz
%C   1 Atlantic Ave, #105, Toronto, ON, Canada   M6K 3E7
%D   2008
%G   978-1-4027-5695-5 1-4027-5695-X
%I   Sterling Publishing Co., Inc.
%O   U$19.95/C$21.95 800-805-5489 specialsales@sterlingpublishing.com
%O  http://www.amazon.com/exec/obidos/ASIN/140275695X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/140275695X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/140275695X/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   297 p.
%T   "Zero Day Threat"

The title here is definitely misleading: the authors have just taken a
sensational term and stuck it on a book about "the shocking truth of how
banks and credit bureaus help cyber crooks steal your money and identity."
Now, as a malware researcher, I'm delighted to see them state, right off the
top, the rather bitter truth that security is in such a sorry state because
the general populace demands convenience over security, and major companies
are willing to give it to them.  I'm not quite as happy to find that Acohido
and Swartz don't fully understand what a zero day threat actually is.  I'm
willing to suspend judgment for a while based on their very useful division
of each chapter into exploiters (traditional blackhats and opportunists),
enablers (those who build weak infrastructures), and expediters (those who,
in various ways, make the problem worse).  It's good to see that the authors
aren't just retailing the common "oooh, teenage hackers!"  stories, and
realize that the situation is complex, and involves the interacting
behaviours of many different parties.

The synergy of this approach is not demonstrated in chapter one.  Of the
three parts of the chapter, the first talks about some drug addicts involved
in dumpster diving for credit card and bank account information, the second
briefly notes the speed and volume of credit card transactions, and the
third examines a few of the malware instances around the year 2000.  It is
not clear what these have to do with each other.  Subsequent chapters follow
up on these stories.  The tales start to interweave at about chapter five,
but few connections are made between the items in the content, and those
that do exist seem to be almost random.  A final chapter in the book,
eighteen, is entitled "What Must Be Done."  Unfortunately, it is overly
broad, and not very specific, reducing to an assertion that we need better
financial activity oversight and review, better Internet infrastructure, and
better security in operating systems and other software.  Appendix A, on
personal security, contains a fairly pedestrian collection of advice on
credit card, financial, computer, and Internet security.  All of the
recommendations would help increase the safety of most people: sadly they do
not exhaust the possible avenues of attack, and many of the suggestions are
not completely within the capability of the average user.  (For example,
yes, it is a good idea to use strong passwords that are long, and contain a
mix of characters, and to change those passwords on a regular basis.  The
trick is to teach people ways of creating passwords such that the user can
remember them, and attackers can't.  As a second instance, it is dangerous
to click on any banner ad or popup window: what proportion of those who use
the Internet regularly can identify those entities when they appear?)

Acohido and Swartz demonstrate, as David Rice did in "Geekonomics"
(cf. BKGKNMCS.RVW), that financial entities have little incentive either to
take serious steps to reduce electronic fraud, or to protect consumers (or
merchants) from losses due to fraudulent transactions.

The authors have done an excellent job of research in the narrative, at
least as far as events in the public record are concerned.  There is also
evidence of commendable exclusive investigation to confirm or enhance
specific areas.  Unfortunately, the technical material has little depth, and
is somewhat suspect when dealing with specialized areas.

Overall, the stories of the blackhat community are entertaining, the tales
from the financial world emphasize dangers that should be stressed, and the
narratives from the malware environment provide a history (more social than
technical) of major recent infestations.  The work contains a wealth of
stories that could be used to promote security awareness, but doesn't
otherwise provide a significant source of security assistance.

copyright Robert M. Slade, 2009    BKZRDYTH.RVW   20090120
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer