The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 12

Tuesday 22 April 2008

Contents

Industrial Control Systems Killed Once, Will Kill Again
Ryan Singel
GPS leads a bus astray
David Caley
Neighbor's data shows up in my browser
borborugmus
Oklahoma Dept of Corrections Website URLs contain raw SQL
Jim Garrison
Real-time spying on credit card holders
Nick Brown
Larger Prey Are Targets of Phishing
John Markoff via Monty Solomon
Aer Lingus economy 5-euro flights to the US after test data leaked to web
Patrick O'Beirne
Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
Emil Protalinki via Monty Solomon
Bouncing Merrily Along
Peter B. Ladkin
The 10,000 web sites infection mystery solved
Bojan Zdrnja via Monty Solomon
Re: Census to scrap handheld computers for 2010 count
Derek P Schatz
Re: Search engine bait?
Randall Roberts
Re: Another genuine mail that looks like a phish
Gregory Hicks
Re: Nissan GT-R sports car and GPS
Peter Houppermans
JTaylor
2008 IEEE Symposium on Security and Privacy
Yong Guan
REVIEW: "Computer Security: Principles and Practice"
Rob Slade
Info on RISKS (comp.risks)

Industrial Control Systems Killed Once, Will Kill Again (Ryan Singel)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 11 Apr 2008 5:10:42 PDT
On 10 Jun 1999 a 16-inch diameter steel pipeline operated by the now-defunct
Olympic Pipeline Co. ruptured near Bellingham, Washington, flooding two
local creeks with 237,000 gallons of gasoline.  The gas ignited into a
mile-and-a-half river of fire that claimed the lives of two 10-year-old boys
and an 18-year-old man, and injured eight others.

Wednesday, computer-security experts who recently re-examined the Bellingham
incident called its victims the first verified human casualties of a
control-system computer incident.  They argue that government cybersecurity
standards currently under debate might have prevented the tragedy. ...

Following the 1999 incident, a nearly three-year investigation by the
National Transportation Safety Board concluded that multiple causes
contributed to the deadly conflagration, including pipeline damage
inflicted by construction workers years earlier, and a misconfigured
valve.

But the factor that intrigues Joe Weiss (Applied Control Solutions) and
Marshall Abrams (MITRE) is a still largely unexplained computer failure that
began less than 30 minutes before the accident and paralyzed the central
control room operating the pipeline, preventing workers from releasing
pressure in the line before it hemorrhaged.

With support from the U.S. National Institute of Standards and Technology,
Weiss and Abrams pored over public government records on the incident,
looking at it through the lens of a pending cybersecurity standard called
NIST 800-53.  The duo concluded that the requirements in the standard would
have prevented the explosion from occurring. ...

Security experts and government investigators have long warned that the
complex networks controlling critical infrastructures like the power grid,
and gas and oil pipelines, were not built with security in mind—a point
driven home by several incidents of the systems failing.  In January 2003,
the Slammer worm penetrated a private computer network at Ohio's Davis-Besse
nuclear power plant and disabled a safety-monitoring system for nearly five
hours.  Later that year, a software bug in a General Electric
energy-management system contributed to a cascading power failure that cut
off electricity to 50 million people in eight states and a Canadian
province.  [Source: Ryan Singel, Wired.com, Threat Level: Privacy, Security,
Politics and Crime Online, blog 9 Apr 2008; PGN-ed]
  http://blog.wired.com/27bstroke6/2008/04/industrial-cont.html


GPS leads a bus astray

David Caley <dcaley@marchex.com>
Thu, 17 Apr 2008 13:31:29 -0700
Another instance of directions from a GPS navigational device overriding
common sense:

  A police report said the driver of a charter bus (11' 8") carrying 22
  students told police he was following directions from a global positioning
  device prior to a crash into a pedestrian overpass that was too low (9'
  clearance).  [Source: Seattle, KIRO TV, 17 Apr 2008]
  http://www.kirotv.com/news/15912549/detail.html


Neighbor's data shows up in my browser

borborugmus <borborugmus@gmail.com>
Sun, 13 Apr 2008 20:51:12 -0400
This weekend I was doing some last-minute work on my taxes, using TurboTax
Deluxe tax software. TurboTax has an online site, ItsDeductible.com, that
you can go to in order to get help in determining the value of non-monetary
charitable deductions you've made.

I had been to the ItsDeductible site once or twice in the past, and had had
a little trouble logging in.  So I went to a section on the site to try and
change my login name, which I had made much too long.  I started to type in
my current information, and when I typed in the first letter of my first
name, the auto-complete function put in the name "Jason" instead of my name.
That seemed very strange, because I am the only person who ever uses this
computer, and my name is not Jason.

I changed it back to my own first name, and typed in my last name.  Then I
tabbed to the address field.  As I typed in the first digit of my 3-digit
house number, the house number and street name of my next-door-neighbor
showed up in the auto-complete list!  Since I know these neighbors, and know
that the homeowner's first name is "Jason", I next moved back up to the
"Last name" field of the form.  I typed in the first letter of what I know
is Jason's last name.  And Jason's last name came up in the auto-complete
list!

There seems to be some way that my next-door-neighbor's information got into
my PC.  They always have their wireless internet on, but my wireless
reception is usually disabled.  I really don't know how this could have
happened.  Of course, since the problem showed up while I was doing my
taxes, I am even more paranoid about what information of mine might have
been swapped between households.

I tried to make the problem repeat after a reboot, but was unable to
duplicate the login screen.  I also checked my "Identity Safe" passwords
from Norton, and see that only my own information is saved for that web
site.  The browser I used was Firefox, but I can't find a way to see how it
has stored its auto-complete section.


Oklahoma Dept of Corrections Website URLs contain raw SQL

Jim Garrison <jhg@jhmg.net>
Tue, 15 Apr 2008 11:56:14 -0500
The Oklahoma DOC published a web interface where the URL contained the SQL
query executed to retrieve the data to be reported. Thus, any knowledgeable
user could execute general SQL queries against a database containing large
amounts of personal information—including UPDATE statements (!)  It was
taken down only after management was shown that THEIR personal information
was available.

http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx


Real-time spying on credit card holders

Nick Brown <Nick.BROWN@coe.int>
Fri, 11 Apr 2008 12:40:53 +0200
Business Week reports that Mastercard is to launch a new service which will,
among other things, allow the payer of a corporate or other card to receive
real-time alerts as to what the card is being used for.
  http://www.businessweek.com/magazine/content/08_16/b4080031217154.htm

The risks are left as an exercise for the reader...


Larger Prey Are Targets of Phishing (John Markoff)

Monty Solomon <monty@roscom.com>
Wed, 16 Apr 2008 08:53:03 -0400
An e-mail scam aimed squarely at the nation's top executives is raising new
alarms about the ease with which people and companies can be deceived by
online criminals.  Thousands of high-ranking executives across the country
have been receiving e-mail messages this week that appear to be official
subpoenas from the United States District Court in San Diego.  Each message
includes the executive's name, company and phone number, and commands the
recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire
subpoena. But a recipient who tries to view the document unwittingly
downloads and installs software that secretly records keystrokes and sends
the data to a remote computer over the Internet. This lets the criminals
capture passwords and other personal or corporate information.  Another
piece of the software allows the computer to be controlled remotely.
According to researchers who have analyzed the downloaded file, less than 40
percent of commercial antivirus programs were able to recognize and
intercept the attack.

The tactic of aiming at the rich and powerful with an online scam is
referred to by computer security experts as whaling. The term is a play on
phishing, an approach that usually involves tricking e-mail users - in this
case the big fish - into divulging personal information like credit card
numbers. Phishing attacks that are directed at a particular person, rather
than blasted out to millions, are also known as spear phishing.

The latest campaign has been widespread enough that two California federal
courts and the administrative office of the United States Courts posted
warnings about the fake messages on their Web sites.  Federal officials said
they stopped counting after getting hundreds of phone calls from
corporations about the messages. At midday on 15 Apr 2008, one antispam
company, MX Logic, said in a Web posting that its service was still seeing
at least 30 of the messages an hour.

  [Source: John Markoff, *The New York Times*, 16 Apr 2008; excellent long
  article, PGN-ed]
http://www.nytimes.com/2008/04/16/technology/16whale.html?ex=1365998400&en=208591045a06cdff&ei=5090


Aer Lingus economy 5-euro flights to the US after test data leaked to web

"Patrick O'Beirne" <pob@sysmod.com>
Fri, 18 Apr 2008 14:43:40 +0100
Aer Lingus blamed a technical fault for Wednesday's error, which saw up to
300 people book 5-euro business-class flights to the US.  However, the
airline will provide economy-class seats to the customers who made the
reservations between 7.30am and 9am, when a promotional fare test webpagewas
mistakenly put up live.  [The flights of course were not 5 euro but about
150 euro each when taxes and charges were added.  PO'B] [Source: RTE news;
PGN-ed]

http://www.rte.ie/news/2008/0418/aerlingus.html
Patrick O'Beirne, Systems Modelling Ltd.
http://www.sysmod.com/  (+353)(0) 5394 22294


Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA

Monty Solomon <monty@roscom.com>
Wed, 16 Apr 2008 08:05:12 -0400
Emil Protalinski, 15 Apr 2008

Internet users are quite familiar with the Completely Automated Public
Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method
that verifies whether or not the user trying to sign up is a person or a
bot. A picture with swirled, mangled, or otherwise distorted characters is
displayed and the user then types in the correct letters or numbers. Thus
far, the system has worked well to slow down malicious bots, but recently
the groups behind such software have made significant strides. A security
firm is now reporting that the CAPTCHA used for Windows Live Mail can now be
cracked in as little as 60 seconds.

Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A
few weeks later, Gmail's version followed suit. In just over a month's time,
some anti-spam vendors were forced to completely block the domain for the
popular service as bots signed up for thousands of bogus accounts and began
to flood the tubes with e-mail advertisements for lottery tickets and
watches. The close proximity of the two cracks has done everything but
sealed CAPTCHA's fate.

To make matters worse, Websense Security Labs is now reporting that the
method for getting around Windows Live Mail's CAPTCHA has been improved to
the point that a bot can decipher the text and make a guess in less than six
seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot,
which hooks itself into Internet Explorer on a victim's machine, has a
success rate of about 10-15 percent.  That means that it takes up to one
minute for a single bot to create a new account.  ...

http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html


Bouncing Merrily Along

"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>
Tue, 22 Apr 2008 09:04:10 +0200
We recently reconfigured our mail SW and for a couple of days I got a few
hundreds of rejected-mail bounce messages. My e-mail address has been forged
by spammers for years and these bounces came from handling such fraudulent
messages.

No one in this world, so far as I know—and I have searched the records
for years, and employed agents to help me—has ever lost money by
underestimating the intelligence of the great masses of the mail system
administrators. And I can't be the first to have observed that. So I am
prepared to believe that there are at least a few hundred admins out there
who have never heard of spam and fraudulent "From:" lines.

But many if not most of these messages came from machines that either
advertised themselves as spam filters, or showed that the message had passed
through spam filters!

One could make it a legal offence to reply to the "From:" address of a
message one had classified as spam. It likely wouldn't curb the phenomenon,
but it would ensure a steady flow of cash to the state, which could then
redistribute it amongst Internet infrastructure providers.

Peter B. Ladkin,  Causalis Limited and University of Bielefeld
www.causalis.com   www.rvs.uni-bielefeld.de

  [NOTE: neumann and risks From: addresses have been widely forged in
  the past few weeks.  PGN]


The 10,000 web sites infection mystery solved

Monty Solomon <monty@roscom.com>
Mon, 21 Apr 2008 10:49:21 -0400
Published: 2008-04-16,
Last Updated: 2008-04-16 19:14:00 UTC
by Bojan Zdrnja (Version: 3)

Back in January there were multiple reports about a large number of web
sites being compromised and serving malware. Fellow handler Mari wrote the
initial diary at http://isc.sans.org/diary.html?storyid=3834 .

Later we did several diaries where we analyzed the attacks, such as the one
I wrote at http://isc.sans.org/diary.html?storyid=3823 . Most of the reports
about these attacks we received pointed to exploitation of SQL Injection
vulnerabilities.

Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another
site hosting malicious JavaScript files with various exploits. While those
exploits where more or less standard, we managed to uncover a rare gem
between them - the actual executable that is used by the bad guys in order
to compromise web sites.

While we had a general idea about what they do during these attacks, and we
knew that they were automated, we did not know exactly how the attacks
worked, or what tools the attackers used. The strategy was relatively
simple: they used search engines in order to find potentially vulnerable
applications and then tried to exploit them.  The exploit just consisted of
an SQL statement that tried to inject a script tag into every HTML page on
the web site.

The utility we recovered does the same thing. The interface appears to be is
in Chinese so it is a bit difficult to navigate around the utility, but we
did some initial analysis of the code (which is very big) to confirm what it
does.  ...

  http://isc.sans.org/diary.html?storyid=4294


Re: Census to scrap handheld computers for 2010 count (RISKS-25.11)

"Schatz, Derek P" <Derek.P.Schatz@boeing.com>
Wed, 9 Apr 2008 17:47:58 -0700
And what would be the likelihood that the handheld computers could be
re-used for the 2020 Census?  Would the vendor still support the more than
10-year-old hardware at that time?  How many RISKS subscribers are still
using 10+ year old computers?

The risk: Spending gigantic wads of money on something that will be
obsolete before it can be used even a second time?


Re: Search engine bait? (RISKS 25.09)

"Randall Roberts" <randall.roberts@eds.com>
Thu, 10 Apr 2008 12:12:05 -0500
This might be a simple captcha hacking operation.  Well designed
captchas are hard to break programmatically, so people put up stuff like
this to get people to do the work for them.

Randy Roberts, Global Network Security Capability EDS,Security & Privacy
Service Line, MD 354 4000 North Mingo Road Tulsa, OK 74116 +1 918 939-4844

  [Also noted by Joseph Gwinn.  PGN]


Re: Another genuine mail that looks like a phish (Piper, RISKS-25.11)

Gregory Hicks <ghicks@cadence.com>
Wed, 9 Apr 2008 20:35:22 -0700 (PDT)
Let's just say this: If you're running a marketing campaign for some
company, you'd want to have some way of collecting metrics that allow you to
go back to the sponsoring company and say "Look, we got you this many
qualified leads.  Of these, this many bought your product.  So you owe us $X
plus $Y as a bonus..."

Anyway, that is why a company will send you an e-mail, expect you to click a
link and end up at the client company's website.


Re: Nissan GT-R sports car and GPS (Clark, RISKS-25.11)

Peter Houppermans <peter@houppermans.com>
Thu, 10 Apr 2008 12:49:29 +0200
If the onboard navigation system was designed by TomTom it will probably ask
you all these questions whilst you're driving. TomTom appears to have
decided in Navigator 6 that certain things like setting up a data link for
traffic information are important enough to divert your attention from the
road, and there's no disabling that question.  It would be nice if someone
added an 'adult' mode where you can take some of those decisions yourself
again, and just once instead of every time..

Tomtom have a watchdog idea too, and the potential flaws in both this and
the Nissan approach are identical: a flawed map or analysis will make a mess
of the conclusion.  In the case of Tomtom, maps include in some places speed
limit information which is in itself not such a bad idea.

The idea went off the cliff by making display modifications based on the
speed data.  When you exceed the "map limit", the speed indicator goes red.
When you go WELL over the speed limit it starts blinking, not normal-inverse
but visible-invisible, at approx a 1Hz frequency.

In other words, for a precise speed indication you may have to take your
eyes off the road for a full second in the worst possible conditions.  Duh.
Oh, and no way to disable that feature either.

But no fears of Big Brother speed limits via GPS: not only did I find the
speed limit data far from accurate, even when corrected there's another fly
in the ointment: variable limits.

In various countries, multiple speed limits are deployed, adjusted according
to situation (snow, pollution, accidents etc).  Which speed limit do you
store?

All I'm waiting for now is a government imposed feature where speeding
drivers will be automatically diverted into the nearest traffic jam..


Re: Nissan GT-R sports car and GPS (Clark, RISKS-25.11)

<jtayNOSPAMlor@hfDONTSENDMESPAMx.andara.com>
Thu, 10 Apr 2008 12:10:54 GMT
> Then after thrashing it on the track, you must take it for a $1000 Nissan
> High Performance Center safety check or the warranty is void.

GPS jammers cost less than $100.  Does the car work if it can't get a GPS
fix?


2008 IEEE Symposium on Security and Privacy

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 18 Apr 2008 23:35:46 PDT
PROGRAM:
http://www.ieee-security.org/TC/SP2008/oakland08.html

May 18-21, 2008, The Claremont Resort
Berkeley/Oakland, California, USA
Claremont Hotel Group Rate Deadline: April 25, 2008

Contact: Yong Guan <guan@iastate.edu>


REVIEW: "Computer Security: Principles and Practice", William Stallings/Lawrie Brown

Rob Slade <rmslade@shaw.ca>
Mon, 14 Apr 2008 12:34:38 -0800
BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles.  Chapter two
introduces cryptographic tools.  The basic ideas of cryptography are
presented, but one must go to other chapters and appendices for details and
usage of the technology.  This structure is unusual in cryptographic
literature, but the new perspective may demonstrate somewhat stale
abstractions in a fresh way.  It is rather odd that the coverage of
authentication, in chapter three, does not note the IAAA model of
Identification, Authentication, Authorization, and Accountability.  Access
control, in chapter four, is limited to data access.  ( The authors also
follow the original paper describing Role-Based Access Control as a form of
mandatory access control, even though RBAC is now frequently used in
discretionary access control environments.)  Chapter five's discussion of
database security emphasizes the theoretical aspects of that specialty.
Intrusion detection is introduced in chapter six.  Malicious software is
given a scholarly, rather than practical, treatment in chapter seven, but
the content is more accurate than is usual even in the security literature.
Denial of service attacks are addressed in chapter eight.  Chapter nine's
review of firewalls concentrates, almost exclusively, on stateful
inspection, and the material on intrusion prevention systems repeats, to a
large extent, chapter six.  Trusted computing and multilevel security, in
chapter ten, are discussed in terms of formal security models and security
architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as good as
one might expect from the author of "Cryptography and Network Security"
(cf. BKCRNTSC.RVW).  Symmetric encryption and message confidentiality,
illustrated by the Data Encryption Standard and the advanced Encryption
Standard, is the topic of chapter nineteen.  Asymmetric cryptography and
hashes are in twenty.

Part five turns to Internet security.  Some Internet security protocols and
standards are listed in chapter twenty-one.  A detailed look at Kerberos
leads off chapter twenty-two's examination of authentication applications.

Operating systems security is the subject of part six, with a look at the
Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number theory,
pseudorandom number generation, projects for teaching security, standards
and standards organizations, and the TCP/IP protocol suite.

Of the various domains of information systems security, there is limited
material in regard to the security implications of various aspects of
computer hardware and architecture, the formation of an architectural model
for security design, and business continuity planning.  Otherwise, however,
the coverage is quite comprehensive, much more so than in other course texts
such as Gollman's excellent but now aging "Computer Security"
(cf. BKCOMPSC.RVW), Bishop's rather abstract "Computer Security: Art and
Science" (cf. BKCMSCAS.RVW), and Stamp's interesting, but sometimes spotty,
"Information Security: Principles and Practice" (cf. BKINSCPP.RVW).
Anderson's "Security Engineering" (cf. BKSECENG.RVW) is, of course, not only
a solid text, but also a useful professional reference, and Stalling and
Brown might wish to examine the practical issues dealt with in that work.  A
range of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly in a
single volume.  There is also the "Official (ISC)^2 Guide to the CISSP Exam"
(cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to the CISSP CBK,"
but Stalling and Brown's work, while less broad and detailed, is more
academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

Top