The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 36

Tuesday 30 September 2008

Contents

Mersenne-aries receive benevolence
PGN
Wall Street's Collapse May Be Computer Science's Gain"
ACM technews
BBV: Two-Minute warning on voting machines
Steve Kelem
Online flight bargains not as good as they seemed
Donald Mackie
Risks of all-encompassing backups
Peter Gutmann
ATM reprogramming scam; Two arrested
Kevin Poulsen via PGN
Default passwords and gasoline thefts
Jim Haynes
ATM bug
Phil Smith III
Re: Sydney tunnel: When is a backup not a backup?
Martin Ward
Sydney Australia or Sydney Nova Scotia?
Rick Gee
Too big to fail = single point of failure?
Bill Hopkins
Flooded computers disposed of?
Marty Brenneis
Burning wheelchair almost destroys airplane
Andrew Koenig
Re: Risks of financial systems too complex ,,,
Robert P Schaefer
Re: Hacker claims Palin e-mail hacked via password reset
Scott Miller
Re: Risks of not using check digits
Toby Douglass
Risks in Networked Computer Systems, Andre' N. Klingsheim
PGN
Study on InSecurity of Social Networks
LinkedIn et al. via Klaus Brunnstein
Estonian Cyber Security Strategy document
Gadi Evron
Info on RISKS (comp.risks)

Mersenne-aries receive benevolence

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 27 Sep 2008 19:49:34 PDT

  [Thanks to Phil Porras for spotting this one.]

As part of the Great Internet Mersenne Prime Search (GIMPS), UCLA
mathematicians led by Edson Smith discovered (on 23 Aug 2008) the first
verified Mersenne prime number with more than 10 million digits -- indeed,
13-million digits long:
  p = 2^(43,112,609) - 1.
The Electronic Frontier Foundation prize is $100,000.  This is the eighth
Mersenne prime "discovered" at UCLA, using spare cycles of many machines
(as is also done with the SETI project -- the search for extraterrestrial
intelligence).
[Source: Thomas H. Maugh II, *Los Angeles Times*, 27 Sep 2008; PGN-ed]
 http://www.latimes.com/news/science/la-sci-prime27-2008sep27,0,2746766.story

  [Note that this discovery does not greatly advance the quest for rapid
  factoring of arbitrary large prime products.  However, it is once again a
  reminder of the potential power of highly distributed computing.
  The prize is on the order of eight-tenths of a penny per prime-number
  digit.  The first multi-million-digit prime,
    2^(6,972,593) - 1,
  had only 4,197,919 digits, and received $50K from EFF a decade ago:
    http://primes.utm.edu/notes/6972593/PressAnnouncement.html
  I wonder if EFF will now spring for the first 100-million-digit Mersenne
  prime to fall?]


"Wall Street's Collapse May Be Computer Science's Gain"

<technews@HQ.ACM.ORG>
Fri, 26 Sep 2008 13:45:04 -0400

Patrick Thibodeau and Todd R. Weiss, *Computerworld*, 26 Sep 2008

The recent collapse on Wall Street may make a career in computer science or
IT more attractive to students, who largely left those fields following the
dot-com bust of 2001.  Stanford University computer science department
chairman William Dally says students are returning to computer science
because they like the field and not necessarily because it can make them
rich.  Boston College professor John Gallaugher says he has already seen a
change in student interest, with many students contacting Gallaugher and
expressing an interest in switching from finance.  Following the dot-com
bust, computer science enrollment declined until it reached a low of 8,021
last year, down from 14,185 in 2003-2004, according to the Computer Research
Association (CRA).  Meanwhile, offshore outsourcing also scared students
into avoiding technology careers.  Now, companies are suffering from a
shortage of technology professionals, and the looming baby boomer
retirements will only add to the problem.  CRA analyst Jay Vegso says
economic conditions appear to impact the choice that students make when
choosing a major, and students currently choosing majors may be looking for
safer alternatives.  Stevens Institute of Technology's Howe School of
Technology Management associate dean Jerry Luftman says the major difference
between today and the late 1990s is the type of student that businesses
need.  While technical skills are important, Luftman says companies also
want students with management and industry training, strong communications
abilities, and marketing and negotiations skills.  The U.S. Bureau of Labor
Statistics reports that IT jobs are among the fastest growing; openings for
networks systems and data communications analysts are expected to reach
402,000 this year, up from 262,000 in 2006.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115616&intsrc=news_ts_head


BBV: Two-Minute warning on voting machines

<Steve Kelem <steve@kelem.net>>
Tue, 30 Sep 2008 10:23:53 -0700

This message is from Black Box Voting, a non-profit that monitors voting
irregularities and fraud.  Steve Kelem, Los Altos Hills, CA

 - ------- Original Message --------
Subject: 	From BBV: Two-Minute warning on voting machines
Date: 	Thu, 11 Sep 2008 02:55:21 -0700
From: 	Black Box Voting <blackboxvoting@worldnet.att.net>
Reply-To: 	crew@blackboxvoting.org

TWO-MINUTE WARNING ON VOTING MACHINES: Welcome to "SPEED VOTING"

Permission to reprint or excerpt granted, with link to blackboxvoting.org

Diebold/Premier says it's too late to fix a new voting machine 2-minute
warning and "time-out" feature, which can kick voters off the machine,
forcing them to accept a provisional ballot. At least 15 voters were booted
off the machine in Johnson County, Kansas recently, and Diebold/Premier says
this is due to a software upgrade which sets a timer on voter
inactivity. According to the company, the machines receiving the upgrade are
used in 34 states and 1,700 jurisdictions.*

*This seems inflated, though. Unless the optical scan machines are also
 outfitted with a 2-minute warning, which doesn't make sense, it would seem
 that this should only apply to the DRE states and locations.

JOINING THIS PROBLEM TO MAKE IT BIGGER:

A study on DRE allocation from Ohio indicates that it takes an average of
four to nine minutes per voter to cast an average-length ballot, and ballots
in many locations will be longer than average this fall. Each additional
ballot question can add 30 seconds to the time a voter must monopolize the
DRE.

Diebold's 2-minute timeout kicks in when the voter does not make a selection
quickly enough. (Welcome to 21st Century literacy tests.)

According to a Sept. 10 Kansas City Star Article, Johnson County upgraded
touchscreen voting machines with a new software release from Diebold
subsidiary Premier Election Solutions Inc.  Buried in the release notes was a
mention of a new "time out" feature that makes the voting machine eject a
voter card if there has been no activity for 150 seconds. The machine emits
a warning sound at 120 seconds.

You can read the full article here:
http://primebuzz.kcstar.com/?q=node/14307

You can add your insights and ask questions here:
http://www.bbvforums.org/forums/messages/7659/78057.html

The Black Box Voting TOOL KIT 2008
( http://www.blackboxvoting.org/toolkit2008.pdf )
recommends that citizens, like you, obtain the voting machine allocation
plans for your jurisdiction. This is going to become critical for locations
that use touch-screens, or DREs. Unlike optical scan voting machines, DREs
require voters to monopolize a machine the whole time they are voting.

The Ohio study linked below provides concrete guidelines for how many
machines are needed:

http://www.bbvdocs.org/OH/franklin/gen2008-voting-machine-allocation.pdf
(3,023 KB)

[See also: Wisconsin cheese more nimble than voting list.  PGN]
http://www.bbvforums.org/forums/messages/176/78042.html


Online flight bargains not as good as they seemed

<Donald Mackie <donald@iconz.co.nz>>
Tue, 30 Sep 2008 22:06:17 +1300

As we get increasingly used to booking travel online - and also seeing
bargain fare offers - this had to happen sometime. Of course - if it's too
good to be true...

Apparently the airline was altering the fares - the intended increase became
the sale price. Normally NZ-Europe costs around NZ$2300.

This from the *New Zealand Herald* is fairly self-explanatory:

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10534492

"More than 100 New Zealanders who snapped up extremely cheap airfares
yesterday will have their money refunded and tickets voided.

One-way tickets from Auckland to Europe through airline KLM started at just
$50 on its website yesterday. Return business trips were priced at $500. But
the fares were a result of a filing error, KLM spokeswoman Elizabeth
Vangalen told the Weekend Herald from Amsterdam last night.

"It's a filing mistake, a human error," she said. "The tariffs vary a lot
from day to day, so there are a lot of chances for human error."

The airline did not have the final number of tickets bought at the reduced
price, but already more than 100 tickets had been identified.  The number
could rise to as high as 300, she said. Full refunds would be made "as soon
as possible".

The bookings had already been canceled, Ms Vangalen said, and the airline
believed there was no chance any travelers wanting to have their tickets
honoured would get their way.

But simply voiding the tickets when it was realised a mistake had been made
was not good enough, one angry traveler said last night.

David Smith, who had been planning a trip to London with his partner for
some time, bought two return tickets on his credit card yesterday. When
taxes, surcharges and reservation fees were added the cost was $660. Mr
Smith said he had given his employer the dates of his trip, and had booked
accommodation in London.

"I'm a professional myself and if I make a mistake I'm held accountable for
it. I don't just say to a customer, 'I cocked up, now give me the money
back'," he said."

Don Mackie, Auckland, New Zealand


Risks of all-encompassing backups

<pgut001@cs.auckland.ac.nz (Peter Gutmann)>
Tue, 30 Sep 2008 21:02:35 +1300

With users squirreling their data away in ever more obscure locations (this
"disk drive" is an iPod, that "disk drive" is a cellphone, the other "disk
drive" is an SD card, ...) it's necessary for backup software to be very
methodical in what it backs up or face the risk of losing user data.  So
what happens when your software to uses a comprehensive backup policy?
Here's one example, with identifying marks deleted:

  This programme, always running in the background, monitors files on your
  computer and notices when they have been modified.  It then copies the
  files, compresses and encrypts them, and sends them through the net to a
  backup computer.  This system reads and preserves ALL FILES on each
  computer.  Users are not allowed to restrict files from being read and
  backed up.

  If you have a laptop, you may have noticed that this programme uses huge
  amounts of bandwidth initially, because it starts out by dumping all the
  files on your disk.  I discovered this when most of my ISP monthly
  allocation was used up over one weekend, largely by this backup.  I
  quickly learned to put the application on "pause" whenever it was plugged
  in at home.  I don't always remember to "unpause" it when I am at work,
  and I'm having second thoughts about whether I even want to.

  After some consultation, I was assured that the bandwidth for uploading
  files would decline rapidly once all the files had been transferred, but
  the high upload rate continued for over a month.  I was mystified why it
  should be taking so long to finish this initial task for an 80GB drive
  until I discovered that the programme is not simply monitoring the
  internal hard disk, but all memory devices accessible to the computer.  So
  when I took it home, it was, among other things, backing up the 300MB
  drive I use for family and personal matters, and another 500MB drive that
  I used as a "hot backup".  In fact, apparently, every time you drop a CD
  or DVD into a drive, or connect a memory stick, it also grabs those files
  and uploads them.  Even connecting a camera, apparently will result in
  your pictures being uploaded and saved.  I haven't yet been able to
  determine whether it is also accessing remote disks that are available to
  my computer at home through my network behind a firewall, where sharing is
  wide open, and other members of my family have information they definitely
  do not want uploaded.

It seems the vendors are stuck between a rock and a hard place.  If they
miss some obscure storage location, then customers get upset.  But if they
do scour every piece of storage media, then other customers get upset.  You
can't even exclude "obvious" media like CDs/DVDs because with packet-writing
software you don't know whether what's in there isn't being used as general
R/W data storage and therefore in need of backup.


ATM reprogramming scam; Two arrested (Kevin Poulsen)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 24 Sep 2008 9:39:40 PDT

In what Kevin Poulsen reports are the first felony charges for hacking ATMs,
two men in Lincoln, Nebraska used default passcodes to reprogram privately
owned cash machines to believe they were dispensing ones instead of
twenties.  Kevin notes that a gas station cash machine in Virginia Beach VA
had been similarly reprogrammed in 2006 to believe it was dispensing fives,
using default administrative passcodes that were printed in owners' manuals
by Tranax and Triton -- whose newer ATMS require default passcodes to be
changed on first use.  [Source: Kevin Poulsen, Two Arrested in First Bust
for ATM Reprogramming Scam, 23 Sep 2008; PGN-ed]
http://blog.wired.com/27bstroke6/2008/09/two-arrested-in.html

Some folks wonder why voting machines cannot be trustworthy if ATMs are
secure.  But ATMs have cameras, audit trails, printed receipts, money (which
is evidently more important than votes), and constrained development and
operation -- and still aren't secure.  Of course, all-electronic voting
machines don't have those things, and are much less secure.  PGN


Default passwords and gasoline thefts

<Jim Haynes <jhhaynes at earthlink dot net>>
Tue, 23 Sep 2008 11:36:26 -0500 (CDT)

An article in today's *Arkansas Democrat-Gazette* tells of 1500 gallons of
gasoline stolen from a station.  It seems the gasoline pumps are shipped
with a default key-code and the station owners are failing to change the
codes.  "Thieves can sometimes purchase a key and the factory default codes
on the Internet.  If the station owner has not changed the default code,
then the thief can manually enter the codes to put the machine in
stand-alone mode and steal gasoline."  Tells how after the particular
station had closed for the night someone had reprogrammed it and the police
discovered long lines of cars waiting there to fill their tanks for free.
All but two got away.


ATM bug

<"Phil Smith III" <risks0908@akphs.com>>
Tue, 23 Sep 2008 10:00:07 -0400

Last week I was making a largish deposit using a touch-screen ATM (US; bank
probably isn't relevant, since I assume they use COTS software).

I started the transaction, including entering the amount, then signed the
check and wrote my account number on it. Then I fed the check into the
deposit envelope. By this time, the display was asking, "Do you need more
time?" (an existential question if ever I saw one!).

I either brushed the "No" button or hit "No" -- I'm not sure which (I've
noticed before that the buttons don't make good use of screen real estate --
they should be as widely separated as possible, and aren't). In any case, it
said "Transaction canceled" and that was it. But meanwhile, it had happily
eaten the envelope containing my check!

I'm still waiting for the bank to find it. I had written the account number
on the back, so hopefully that will do it. Turns out the branch doesn't
process ATM deposits, so they can't help (I of course spoke with them
immediately after it happened), and &bank Galactic keeps saying to wait
another day. Meanwhile, I've filed a "dispute" with them; everyone agrees
that it's not rational that whoever processed the deposits, finding an
orphaned check *with an account number on the back that matches the payee's
name*, wouldn't have just processed it.

Actually, what I probably should have done, is redone the transaction,
putting *an empty envelope* in the slot. Then things would have been much,
much clearer to whoever processed the envelopes.

In any case, this is clearly a software bug: as I pointed out to the bank,
if it's going to let me cancel a deposit after it's accepted the envelope,
it should let me cancel a withdrawal after it's dispensed the cash. They
didn't seem to think that was funny.


When is a backup not a backup? (Re: Colville, RISKS-25.35)

<Martin Ward <martin@gkc.org.uk>>
Tue, 23 Sep 2008 11:43:22 +0100

  "The M5 East tunnel is a 4-km tunnel on a major motorway leading into
  Sydney.  On 22 Sep 2008 the tunnel was closed for 2 3/4 hours starting at
  about 0900, due to the failure of a backup computer."

We have had systems fail because the backup system was not able to handle
the peak load on the main system: in other words, the "backup" turned out to
be unable to take over when most needed. So it wasn't a "backup" at all.

Now we have a system which fails because the "backup" computer failed.
So this "backup", instead of dealing with a single point of failure,
adds another single point of failure to the system!

martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/


Sydney Australia or Sydney Nova Scotia?

<Rick Gee <RGEE@okanagan.bc.ca>>
Tue, 23 Sep 2008 10:47:19 -0700

A woman planning to fly on Air Canada to Sydney, Australia would up in
Sydney, Nova Scotia.  [And it reportedly had happened to two other people,
in 2002.]

http://www.cbc.ca/canada/nova-scotia/story/2008/09/19/sydney-argentina.html

Rick Gee, Chair, Computer Science, Okanagan College www.okanagan.bc.ca/cosc
people.okanagan.bc.ca/rgee


Too big to fail = single point of failure?

<"Bill Hopkins" <whopkins@wmi.com>>
Tue, 23 Sep 2008 14:26:33 -0400

In designing reliable systems, we generally try to identify and avoid any
single points of failure: components that, if they fail, bring down the
system.

I haven't seen a lot of discussion about avoiding "too big to fail"
components in our financial system.  One is a comment by James Pinkerton
(with whom I generally don't agree on much) in Politico's Arena:
  http://www.politico.com/arena/archive/25.html


Flooded computers disposed of?

<Marty Brenneis <marty@sparkology.com>>
Mon, 22 Sep 2008 19:20:31 -0700

There was a photo in a recent *San Francisco Chronicle* of workers piling up
flooded computer equipment from one of the hospitals in the path of
hurricane Ike.  It got me to thinking of how much tracking there is of the
IT equipment with data stored in them that goes astray in a scene like that.

In many cases the power is out long before the equipment gets flooded.  I'd
bet that a large number of the hard drives have recoverable data in them.

How many flooded systems are there in the disaster area?  How many have
sensitive data on them?  How many workers toss the flooded machines in the
trash thinking they are unrecoverable.

Food for thought for the risks readers out there.

Marty Brenneis, Kerner Studios, Making Chaos for the CG World


Burning wheelchair almost destroys airplane

<"Andrew Koenig" <ark@acm.org>>
Tue, 23 Sep 2008 15:34:34 -0400

A holiday jet carrying 229 passengers narrowly avoided disaster when a
wheelchair stored in the hold burst into flames shortly after landing at
Manchester airport.  The chair was removed from the Boeing 727-200 jet and
placed on a vehicle - where it immediately burst into flames and was
destroyed.  http://www.timesonline.co.uk/tol/travel/news/article4810663.ece

Further commentary is superfluous.


Re: Risks of financial systems too complex ,,, (Smith, RISKS-25.34)

<"Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@baesystems.com>>
Thu, 25 Sep 2008 13:38:22 -0400

As long as we are citing references to the crash of 1929, one may want to
read:

  Garet Garrett, Ouroboros or The Mechanical Extension of Mankind,
  E.F. Hutton, 1926
  http://mises.org/books/ouroboros.pdf

The focus of Garrett's text expands on Horning's list, in particular
the fourth "weakness":

  4) The dubious state of the foreign balance

  [NOTE: For RISKS readers less inclined to mythology, ouroboros (literally,
  tail-eater, with numerous alternative spellings in its transliteration
  from Greek) refers to a serpent devouring its own tail, symbolizing
  cyclicity or cyclicality.  Maybe the serpent inhabited the Cycladic
  Islands, one of which is Eschati -- which might in turn be related to
  Eschatology but not E-scatology, which we find a lot of on the Internet.
  (See my treatise on the use and misuse of the hyphen, The Hyphenater's
  Handbook or The Hyphen-Haters Handbook, on why I prefer 'E-mail' to
  'email' and related thoughts.)  PGN]


Re: Hacker claims Palin e-mail hacked via password reset (RISKS-25.35)

<Scott Miller <SMiller@unimin.com>>
Tue, 23 Sep 2008 08:26:11 -0400

Gotta call "bollocks" on this one, or at least make an accusation of
information withheld.  I "own" three Yahoo! email accounts, and I created a
fourth in the interests of fact checking this claim (in case something had
changed since I set up the other three).  After testing, it does not appear
to be possible to complete the Yahoo! password reset function without
knowing either the Yahoo! ID or the alternate email address.  No purported
analysis of the alleged hack that I have seen (including the alleged
description by the alleged hacker himself) has mentioned knowing either of
those two items.  So, has essential information been omitted from the
description of the hack by all parties (and why?), is the claim entirely
falsified, or is there a third possibility that escapes me at the moment?


Re: Risks of not using check digits (RISKS-25.35)

<"Toby Douglass" <trd@45mercystreet.com>>
Wed, 24 Sep 2008 19:22:50 +0200 (CEST)

My apologies for the factual error regarding check digits in Dutch bank
account numbers.

I obtained this information by phoning ABN AMRO and reaching what I
believe in the end was third-line support.

  [I am always grateful to RISKS readers for incremental fact-checking!
  PGN]


Risks in Networked Computer Systems, Andre' N. Klingsheim

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 26 Sep 2008 11:33:45 PDT

My SRI colleague Ulf Lindqvist has just returned from Bergen, Norway, where
he was a member of the examining committee for the defense of Andre
Klingsheim's PhD thesis -- which Ulf has shared with me.  The thesis is a
collection of eight of Klingsheim's published papers in English, ranging
from analyses of the Norwegian national security infrastructure, their ATM
system, potential man-in-the-middle attacks (why do women never get
implicated?) and flawed authentication in Internet banking, mobile risks,
vulnerabilities in E-governments, identity theft, and open wireless nets.
Klingsheim's introduction to the thesis identifies various common threads
that will be familiar to RISKS readers, particularly risks relating to
security, privacy, and judicial matters.  What is perhaps most worth noting
here is the pervasive nature of the problems throughout so many application
areas.  Although this should be no surprise to you all, it is still a useful
reminder of how far we need to go in the future.
  http://www.nowires.org/Thesis-PDF/AndreKlingsheim.pdf


Study on InSecurity of Social Networks (LinkedIn et al.)

<"Klaus Brunnstein" <brunnstein@informatik.uni-hamburg.de>>
Fri, 26 Sep 2008 14:08:45 +0200

RISKS readers may be interested to read details of a study just published by
Fraunhofer SIT (Institute for Secure Information Technologies, SIT, situated
in Darmstadt, Germany) addressing Security problems of several highly
frequented social networks, including facebook, myspace, LinkedIn and Xing
(plus 3 German platforms: studiVZ, wer-kennt-wen and lokalisten). The author
Andreas Poller analysed acces protection, traffic protection using crypto
(hardly available) as well as registration; with facebook being slighly less
insecure than myspace, and LinkedIn (which supports pseudononymity which is
though hardly useful in business applications) slightly better than Xing, no
platform satisfies essential security requirements.

The study which was developed for the German market, is presently only
available in German but will be translated when sufficient international
interest is experienced:

German title: "Soziale Netzwerke gefaehrden Privatsphaere"
http://www.sit.fraunhofer.de/fhg/Images/SocNetStudie_Deu_Final_tcm105-132111.pdf
(engl): "Social Networks dangerous for private sphere"

The study addresses technical issues only. In addition, it would be helpful
not only requirements and availability of security functions but also the
enforcement of privacy in related laws. In addition to the (technical)
insecurity of globally operating social networks, differences in legal
protection of privacy (e.g. between US and European laws) should be
addressed.

Klaus Brunnstein, Prof. em. University of Hamburg, Germany (9/26/2008)


Estonian Cyber Security Strategy document -- now available online

<Gadi Evron <ge@linuxbox.org>>
Fri, 26 Sep 2008 08:43:09 -0500 (CDT)

The Estonian cyber security strategy document is now available online.  I
must say once again the concept of a national cyber security stance is quite
interesting.

Those who wish to download the document:
http://www.mod.gov.ee/?op=body&id=518

My contact there specified she'd be happy to answer any questions. To avoid
spam of her inbox, email me for her address.

Please report problems with the web pages to the maintainer

Top