The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 16

Thursday 22 May 2008

Contents

Betting glitch spurs calls for reform
Will Oremus via PGN
Animal tricks, take n+1
Jeremy Epstein
Ants and Computers
Gene Wirchenko
F.B.I. Says the Military Had Bogus Computer Gear
John Markoff via Monty Solomon
Another undeleted/deleted Document - "Krolls Associates"
Danny Burstein
Don't phlash that dwarf - hand me the pliers!
John Leyden via Randall
Geolocation software risks
Mickey Coggins
Shopping centers tracking cell phones
PGN
China's All-Seeing Eye
EEkid via Dave Farber
Re: Real-time spying on credit card holders
Curt Sampson
Microsoft security advice for sale
Peter Houppermans
Old-Style Pumps Balk At $4-a-Gallon Gas, Too
Nick Miroff via Monty Solomon
Clueless in France
Pete Kaiser
PayPal XSS Vulnerability Undermines EV SSL Security
Paul Mutton via Monty Solomon
More GPS Mishaps
Gene Wirchenko
Re: UK CCTV used to create a music video
Chris Drewe
Re: Dilbert wants a widget
Bill Bumgarner
Re: Debian OpenSSL Predictable PRNG Toys
Jim Horning
Re: Securing The Wrong Spaces: A Lesson
David E. Price
Info on RISKS (comp.risks)

"Betting glitch spurs calls for reform"

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 22 May 2008 14:22:45 PDT
An unidentified bettor at Bay Meadows Race Track (which closed forever on 10
May 2008) apparently put down 1300 one-dollar quick-pick superfecta bets on
the Kentucky Derby.  Not one of the computer-generated tickets included the
eventual winner, Big Brown.  After being prodded by the California Horse
Racing Board on 7 May 2008, the betting machine vendor Scientific Games
discovered that its software was dropping the last horse in the field from
quick-pick choices on all 7,000 of its Bet Jet machines nationwide.  They
"couldn't say" how long this had been happening, as they had "no way" of
auditing past usage.  It was also unclear whether this was an intentional
scam from which anyone was profiting, or just a screw-up.

Incidentally, Scientific Games was the vendor whose equipment was used in
the Breeders' Cup wild-card Autotote Pick-6 insider scam (RISKS-33,38,39).

[Source: Will Oremus, *Palo Alto Daily News*, 21 May 2008; PGN-ed]


Animal tricks, take n+1

"Jeremy Epstein" <Jeremy.Epstein@softwareag.com>
Fri, 16 May 2008 10:11:45 -0400
One of the oldest recurring themes in RISKS is the damage animals can do to
computer systems, generally indirectly by cutting off electricity supplies.
Cf. RISKS-4.02, 8.75, 16.30, 19.96, 20.87, and probably a bunch of others.

We're now moving from mammals (especially squirrels) down the food chain,
and closer to the equipment itself - several recent reports of ants in south
Texas getting in to electronic equipment.  Computerworld [1] quotes an
exterminator as saying "ants shorted out three computers that were running a
pipeline that brought chemicals into the plant. The ants took down two
computers last year and one in 2006, affecting flow in the pipeline each
time... If you open a computer, you would find a cluster of ants on the
motherboard and all over. You'd get 3,000 or 4,000 ants inside, and they
create arcs."

[1]
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9086098&source=NLT_SEC&nlid=38

  [An arc for these little guys would be *ancillary*.  It would need to be a
  No-Ways Arc, a pun that I reused in the title of the first item in
  RISKS-4.02, recalling Bob Ashenhurst's spoofed page in Rick Gould's PhD
  thesis on bridge switching circuits that delved into no-ways arcs and
  two-terrible subgiraffes in relay graphs with bidirectional current paths.
  I couldn't resist recalling that 51 years later.  PGN]


Ants and Computers

Gene Wirchenko <genew@ocis.net>
Fri, 16 May 2008 10:18:52 -0700
This article tells of a non-indigenous species of ant causing in Texas:
   http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=48425

They are shorting out various forms of equipment including computers.  Here
is the text of the article:

A flood of voracious ants is heading straight for Houston, taking out
computers, radios and even vehicles in their path.  Even the Johnson Space
Center has called in extermination experts to keep the pests out of their
sensitive and critical systems.

The ants have been causing all kinds of trouble in five Texas counties in
and around the Gulf Coast. Because of their sheer numbers, the ants are
short circuiting computers in homes and offices, and knocking systems
offline in major businesses. When IT personnel pry the affected computers
open, they find the machines loaded with thousands of ant bodies.

"These ants are raising havoc," said Roger Gold, professor of entomology at
Texas A&M University in College Station. "They're foraging for food and
they'll go into any space looking for it. In the process, they make their
way into sensitive equipment."

The ants have been dubbed Crazy Rasberry ants after Tom Rasberry, owner of
Budget Pest Control in Pearland, Texas. He first tackled this particular
type of ant back in 2002. Since then, the problem has only escalated.

Rasberry said the ants have caused a lot of trouble for one Texas chemical
company in particular. Not wanting to name the company, he said the ants
shorted out three different computers that were running a pipeline that
brought chemicals into the plant. The ants took down two computers last year
and one in 2006, affecting flow in the pipeline each time.

"I think they go into everything and they don't follow any kind of
structured line," said Rasberry. "If you open a computer, you would find a
cluster of ants on the motherboard and all over. You'd get 3,000 or 4,000
ants inside and they create arcs. They'll wipe out any computer."

The Johnson Space Center called in Rasberry a month or two ago in an attempt
to keep the ants out of their facilities. Too late. Raspberry said he's
found three colonies at the NASA site, but all have been small enough to
control.

'With the computer systems they have in there, it could devastate the
facility," said Rasberry. "If these ants got into the facility in the
numbers they have in other locations, well, it would be awful. I've been in
this business for 32 years and this is unlike anything I've ever seen.
Anything. When you bring in entomologists from all over the United States
and they're in shock and awe, that shows you what it's like."

The Johnson Space Center referred all questions about the ants to Rasberry.

The ants, which are tiny and reddish, aren't native to Texas. Officials
believe they came off a ship from the Caribbean, said Paul Nester, a program
specialist with the Texas AgriLife Extension Service. They were first
spotted about six years ago. Gold said in the last few years they've spread
in a radius of about 50 miles. And now they're moving into Houston, the
fourth-largest city in the country.

"Fifty miles might not seem like a lot until you realize they're moving into
Houston," said Gold. "It could really affect a lot of people's lives."

A big problem here, noted Nester, is how quickly their numbers are
multiplying.

A queen fire ant, long a problem in Texas, can lay as many as 1,000 eggs a
day, he said. The Crazy Rasberry ants are thought to be as prolific.
However, an ant mound normally has one queen. The new ants have many queens
so they're able to multiply their ranks that much more quickly. They also
don't go to the trouble of building ant hills. They simply nest under
anything they can find—a log, a tire or a pet's water bowl—and then
they quickly move on as they spread further into the state.

Nester said the ants swarmed into trucks at a shipping company, shorting out
the radios and even the vehicles themselves.

Gold said the ants got into an engine compartment at a sewage treatment
plant and shorted out the pumps so they couldn't move the sewage out. He
added that they've also overrun a subdivision and caused a lot of electrical
damage to houses there.

Part of the problem is that exterminators have found it nearly impossible to
kill the ants. Oh, you can kill some of them - the first wave, maybe.
However, there are so many more ants coming behind them, that the first wave
falls dead in the insecticide and the subsequent waves merely walk on the
dead bodies, keeping themselves out of the poison and safe from harm.

Gold warned people not to spray pesticide inside their computers and to
simply call in the professionals to prevent mixing up poisonous concoctions
or storing the potentially harmful partly used insecticides."


F.B.I. Says the Military Had Bogus Computer Gear (John Markoff)

Monty Solomon <monty@roscom.com>
Sat, 17 May 2008 20:12:53 -0400
[Source: John Markoff, *The New York Times*, 9 May 2008]

Counterfeit products are a routine threat for the electronics
industry. However, the more sinister specter of an electronic Trojan horse,
lurking in the circuitry of a computer or a network router and allowing
attackers clandestine access or control, was raised again recently by the
F.B.I. and the Pentagon.

The new law enforcement and national security concerns were prompted by
Operation Cisco Raider, which has led to 15 criminal cases involving
counterfeit products bought in part by military agencies, military
contractors and electric power companies in the United States. Over the
two-year operation, 36 search warrants have been executed, resulting in the
discovery of 3,500 counterfeit Cisco network components with an estimated
retail value of more than $3.5 million, the F.B.I. said in a statement.

The F.B.I. is still not certain whether the ring's actions were for profit
or part of a state-sponsored intelligence effort. The potential threat,
according to the F.B.I. agents who gave a briefing at the Office of
Management and Budget on Jan. 11, includes the remote jamming of supposedly
secure computer networks and gaining access to supposedly highly secure
systems. Contents of the briefing were contained in a PowerPoint
presentation leaked to a Web site, Above Top Secret.

A Cisco spokesman said that the company had investigated the counterfeit
gear seized by law enforcement agencies and had not found any secret back
door. ...

http://www.nytimes.com/2008/05/09/technology/09cisco.html?partner=rssuserland&emc=rss&pagewanted=all


Another undeleted/deleted Document - "Krolls Associates"

Danny Burstein <dannyb@panix.com>
Wed, 21 May 2008 11:16:06 -0400 (EDT)
While the story is a bit vague on details as to the format/program
of the original e-mailed document, we've all seen this before:

James Doran, KROLL EXPOSES CLIENT INFO, *NY Post*, 4 May 2008

Inspector Clouseau is alive and well - and he appears to be working for
Kroll Associates.

The corporate spies, who are supposed to specialize in unearthing - and
keeping - company secrets, last week announced the conclusion of a
four-month long investigation into the North Carolina State Highway Patrol.

While the 47-page report appeared to be run of the mill, "meta data" buried
in the electronic document named three Texas-based oil and gas exploration
companies - Panther Bayou Energy, Bayou Bend Petroleum and Cymraec
Resources, which has recently changed its name to Vermillion - and seven
executives related to the companies.

On the subject line of the should-have-been-deleted information are the
words "Due Diligence Investigation" - corporate-speak for the type of spying
carried out by Kroll and others when a company is considering a takeover or
a merger.

[ snippety snip, rest at: ]

http://www.nypost.com/seven/05042008/business/kroll_exposes_client_info_109385.htm


Phlashing attack thrashes embedded systems (John Leyden)

Randall Webmail <rvh40@insightbb.com>
May 21, 2008 4:18:00 PM EDT
  [Don't phlash that dwarf - hand me the pliers!]

John Leyden, Phlashing attack thrashes embedded systems, *The Register*,
21 May 2008 [PGN-ed] <http://www.theregister.co.uk/2008/05/21/phlashing/>

A security attack that damages embedded systems beyond repair was
demonstrated for the first time in London on Wednesday.  The cyber-assault
thrashes systems by abusing firmware update mechanisms.  If successful, the
so-called phlashing attack would force victims to replace systems.

The attack was demonstrated by Rich Smith, head of research for offensive
technologies and threats at HP Systems Security Lab, at the EUSecWest
security conference in London on Wednesday. Smith told Dark Reading that
such as "permanent denial of service" attack could be carried out remotely
over the Internet.
http://www.darkreading.com/document.asp?doc_id=154270&WT.svl=news1_1


Geolocation software risks

Mickey Coggins <risks@int.ch>
Sun, 18 May 2008 22:53:40 +0200
I'm sure this is not news to any RISK readers that are somewhat familiar
with global IP addressing, but may be of interest to those that are not.

There are several companies that sell databases or access to databases that
attempt to map an IP address to a geographic location.  This seems to be
done for reasons such as localizing advertising, and limiting access to data
based on the person's country.

When they get the mapping wrong in their database, it can be problematic for
the owner of the IP address.  I ran across an exchange on the support form
of one such company here:
  http://forums.geobytes.com/viewtopic.php?t=5022

Apparently the design of their software does not allow them to correctly
attribute classless IP addresses smaller than a /24.

The risk here is that their customers are getting wrong results from the
database queries, without any indication.  I'll leave the possible effects
of these wrong results as an exercise for the reader.


Shopping centers tracking cell phones

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 19 May 2008 14:05:31 PDT
  [Thanks to Lauren Weinstein for spotting this one.  PGN]

Slashdot <http://yro.slashdot.org/article.pl?sid=08/05/18/1838222> notes an
article in the *Times* of London on a tracking device by a company called
Path Intelligence that tracks the whereabouts of cell phones within shopping
centers.
<http://technology.timesonline.co.uk/tol/news/tech_and_web/article3945496.ece>


China's All-Seeing Eye

<EEkid@aol.com [EEkid@aol.com]>
Monday, May 19, 2008 12:02 AM
  [From Dave Farber's IP list]

"Over the past two years, some 200,000 surveillance cameras have been
installed throughout the city. Many are in public spaces, disguised as
lampposts. The closed-circuit TV cameras will soon be connected to a single,
nationwide network, an all-seeing system that will be capable of tracking
and identifying anyone who comes within its range—a project driven in
part by U.S. technology and investment. Over the next three years, Chinese
security executives predict they will install as many as 2 million CCTVs in
Shenzhen, which would make it the most watched city in the world."

"The end goal is to use the latest people-tracking technology --
thoughtfully supplied by American giants like IBM, Honeywell and General
Electric ... to identify and counteract dissent before it explodes into a
mass movement like the one that grabbed the world's attention at Tiananmen
Square."

"The mergers made L-1 a one-stop shop for biometrics. Thanks to board
members like former CIA director George Tenet, the company rapidly became a
homeland-security heavy hitter. ... L-1 can legally supply its
facial-recognition software for use by the Chinese government."

"I get to the customs line at JFK, watching hundreds of visitors line up to
have their pictures taken and fingers scanned. In the terminal, someone
hands me a brochure for "Fly Clear." All I need to do is have my
fingerprints and irises scanned, and I can get a Clear card with a biometric
chip that will let me sail through security. Later, I look it up: The
company providing the technology is L-1."

http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye/


Re: Real-time spying on credit card holders (Brown, RISKS-25.14)

Curt Sampson <cjs@cynic.net>
Tue, 6 May 2008 14:30:14 +0900
[Relating to the "risks" of real-time e-mail notification of credit card
transactions]

> * Real-time financial transaction data being sent "by e-mail", as if e-mail
>   guaranteed either delivery of the message....
> ...
> * Overreaction by managers...and cancels the card while I'm in the air.

While these are both certainly "risks," I think that this particular
analysis of the situation is pretty poor: it's nowhere near a balanced risk
assessment that will help someone less knowledgeable about these things to
make a decision, or give us good reason to suggest to the credit card
company that they change or discontinue the service.

So let's look at these two points in that light, shall we?

First, e-mail certainly is not guaranteed delivery. Should we really
want guaranteed real time delivery, we need a better mechanism. Perhaps
a leased line to a terminal in the cardpayer's office? Or a have a human
telephone the cardpayer every time the card is used. Both are pretty
expensive, and unlikely to be implemented. The cheapest alternate and
practical solution I can think of would be to assign an office worker to
check the current card transactions on the card's web site on, say, a
half-hourly basis, which is still pretty expensive.

Assuming e-mail has a 90% success rate for delivery, which option serves the
cardpayer best in preventing fraud: assigning staff to check the website
hourly, enabling the e-mail but having a 10% chance that they'll miss a
transaction, and thus, a smaller chance that they'll miss a fraudulent
transaction, or doing nothing, with the certainty that they'll not get
real-time notification of a fraudulent transaction?  It depends on the
situation, of course, but I'd wager that for a vast majority, the e-mail
option provides the best cost-benefit ratio.

Note that one might even disable the notifications while someone's traveling
(when you're likely to see a lot of them), and use them only one the
cardholder is not travelling, when transactions are far more likely to be
fraudulent (assuming the card is used only for travel).

So my vote on this side of things: an excellent feature, use it as
necessary, and do keep in mind that you might miss an e-mail, so have a
backup plan to deal with a fraudulent translation for which you don't get an
e-mail notification.

Well, I could go on to the other point, but I think that this provides a
reasonable example of how we should be doing risk analysis, and a good
contrast to the, "Oh no! There are risks!" school of post that I see here
from time to time.

Curt Sampson  +81 90 7737 2974   http://www.starling-software.com


Microsoft security advice for sale

<peter@houppermans.com>
Sat, 17 May 2008 17:34:24 +0200 (CEST)
Words fail me..

On the few Windows systems I have left, I always check what Windows update
wants to install (proved a good strategy during the "Windows Genuine
Advantage" disaster).  This hour's suggested patch was a "GDI+ scanner".
Being the curious sort, I followed the link
<http://go.microsoft.com/fwlink/?LinkId=33568> and guess what?

It links straight into a Microsoft Word document - in .docx format..

  [Eric Rachner noted "Yeah, whoever posted that document should've
  been more thoughtful.  In the meantime, you don't have to purchase
  Office—just download the free .docx reader from Microsoft.]


Old-Style Pumps Balk At $4-a-Gallon Gas, Too

Monty Solomon <monty@roscom.com>
Sat, 17 May 2008 03:29:21 -0400
[Source: Nick Miroff, *The Washington Post*, 16 May 2008]

Like a lot of small-scale entrepreneurs, Cathy Osborne worries that she'll
go out of business if fuel prices rise above $4 a gallon. Not because she
won't be able to buy gas at that price, but because she won't be able to
sell it.

The old mechanical gas pumps with scrolling dials at her country store in
Fauquier County lack the gears to go beyond $3.99 a gallon.  State
inspectors shut down her diesel pump several months ago when the fuel topped
the $4 mark, so now all that's left are two pumps dispensing 87-octane
gasoline, set at $3.75—and climbing. ...

http://www.washingtonpost.com/wp-dyn/content/article/2008/05/15/AR2008051503756.html


Clueless in France

Pete Kaiser <djc@resiak.org>
Tue, 20 May 2008 08:10:17 +0200
Order broadband from France Telecom.  You will get web access to your
account information; the details of your order, for instance, are on a page
like this:

     http://suivicommande.francetelecom.com/....{number N}

The information on this page includes your name, the address where the
service is installed, your access code, account number, telephone number,
and of course what (they think) you ordered and what its status is.

N+1 also works, but for someone else's order.  And so forth.

It is staggeringly irresponsible to put this kind of information on
unsecured pages, especially with public consecutive transaction numbers in
the URL.  They do a lot on unsecured pages, or pages with a mix of secured
and unsecured frames that come from different domains.

And they also got our order wrong.


PayPal XSS Vulnerability Undermines EV SSL Security (Paul Mutton)

Monty Solomon <monty@roscom.com>
Sat, 17 May 2008 11:06:44 -0400
[Source: Paul Mutton, netcraft, 16 May 2008]

A security researcher in Finland has discovered a cross-site scripting
vulnerability on paypal.com that would allow hackers to carry out highly
plausible attacks, adding their own content to the site and stealing
credentials from users.

The vulnerability is made worse by the fact that the affected page uses an
Extended Validation SSL certificate, which causes the browser's address bar
to turn green, assuring visitors that the site - and its content - belongs
to PayPal. Two years ago, a similar vulnerability was discovered on a
different page of the PayPal site, which also used an SSL certificate. ...

http://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html


More GPS Mishaps

Gene Wirchenko <genew@ocis.net>
Sun, 18 May 2008 22:34:46 -0700
This week's (May 18, 2008) News of the Weird has under Recurring Themes two
items about GPS mishaps.  (http://www.newsoftheweird.com/)
  [Click on 05-18-08 if it is no longer the current column,
  scroll down to recurring themes, and this is what PGN found:]

Navigation System On, Brain Off: Brad Adams, 52, crashed his charter bus
(carrying two dozen high school softball players, who had to be sent to a
hospital) into a pedestrian bridge in Seattle's Washington Park Arboretum in
April (bus: 11 feet, 8 inches high; bridge, 9 feet, 0 inches). Adams said he
missed warning signs because he was busy following the navigation
system. [Seattle Times, 4-17-08]

Five days after that, in King's Lynn, England, a Streamline taxi minibus had
to be pulled from the River Nar after the driver, who said he was obediently
following the navigation system instructions, drove straight into the
water. [Lynn News, 4-23-08]


Re: UK CCTV used to create a music video (RISKS-25.15).

"Chris D." <e767pmk@yahoo.co.uk>
Wed, 21 May 2008 21:36:08 +0100
Blatant opinion from a Brit: it feels like either `1984', or an Internet-era
version of 1970s East Germany...  It's a bit difficult to sort through the
media hype, but apart from the world's biggest DNA sample database,
allegedly some local authorities have experimented with garbage containers
incorporating RFID chips, so that they can track down errant citizens who
failed to sort their 6 types of plastics for recycling.  Just this week (May
20th) it was widely reported that laws are being proposed requiring
telecomms companies and ISPs to supply the Home Office (interior ministry)
with all telephone traffic and web surfing details and copies of e-mails
handled; potential data volumes are noted as a concern (what a surprise).
And coming soon (maybe)—ID cards!  https://www.ips.gov.uk/ , follow
links.  There's a strong tradition here that "the gentleman in Whitehall
[Government offices] knows best", so opposition has been limited to grumbles
and moans.

> Unable to hire a production crew for a standard 1980's era MTV music
> video, they performed their music in front of 80 of the 13 million CCTV
> "security" cameras available in England

Funnily enough, a humorist in a newspaper some years ago suggested making a
movie this way—you've heard of `cinema verite', so he proposed `cinema
securite'...

Chris Drewe, Essex County, UK.


Re: Dilbert wants a widget (Ehrich, RISKS-25.15)

Bill Bumgarner <bbum@mac.com>
Fri, 16 May 2008 15:31:49 -0700
The new Dilbert site design is abysmal.  It is a flash based behemoth that
takes a long time to load, is slow, and generally crowds the page with
useless garbage.

In other words, every bit the design product of a group of people working in
an environment that Dilbert so effectively pokes fun of.

In response to the unbelievably loud set of complaints about the "new and
improved" design, a "fast" page was made available:
  http://www.dilbert.com/fast


Re: Debian OpenSSL Predictable PRNG Toys

"Horning, Jim" <Jim.Horning@sparta.com>
Mon, 19 May 2008 14:46:10 -0700
"Random" and "haphazard" are not synonyms.

The assumption that uninitialized memory actually contains *random* values,
rather than merely values *that the writer of the code does not know how to
predict* is a highly dubious one.  I have used systems where the values of
uninitialized variables were totally predictable.  I don't know which open
source operating systems randomize the contents of memory when allocating it
and which do not, but anyone who cares about the results of the OpenSSL
package really ought to.

I hope that someone is checking out the predictability of all the non-Debian
PRNG results?


Re: Securing The Wrong Spaces: A Lesson (Damiani, RISKS-25.10)

"David E. Price, SRO, CHMM" <price16@llnl.gov>
Tue, 20 May 2008 11:00:33 -0700
Actually, because of the effects of the inverse square law, given an equally
sensitive radar on the other end they can be detected at 4 times the
distance they can 'see', not twice the distance. (A RISK of simple math?)

Senior Safety Analyst
(Nuclear, Chemical, Biological, and Explosives Accident/Safety Analyses)

  [typo corrected in archive copy.  PNG]

Please report problems with the web pages to the maintainer

Top