The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 40

Tuesday 21 October 2008

Contents

Treasury Office Faults IRS Computer Security
AP via PGN
Springer: Open for all to see
Debora Weber-Wulff
TBS leaves baseball championship game viewers in the dark
Jim Reisert
Drunk, and Dangerous, at the Keyboard
Alex Williams via Monty Solomon
Thousands Face Mix-Ups in Voter Registrations
Mary Pat Flaherty
Ohio Secretary of State's Web Site Hacked; voter suppression tactics
Steve Kelem
From BBV: Two-Minute warning on voting machines
Steve Kelem
Unbelievable security violation
Identity withheld
Re: More Password Reset Procedures
Identity withheld
Risks: Unlock your house via the Internet
Gabe Goldberg
Re: Remarkable -- United Airlines Stock
Martin Gregorie
Re: Outliers
Jurek Kirakowski
Re: Investigator: Computer likely caused Qantas plunge
Peter Rieden
Ron Garret
Re: Sydney NS vs. Sydney NSW
Chuck Charlton
Re: Illinois high-speed trains
Joseph Brennan
Re: Risks of a new laptop
Scott Miller
Correction/disclaimer re unistable polyhedron
Ken Knowlton
Re: The folly of retaining default settings
Mark Thorson
Re: D10T: National Debt Clock is out of digits
Mark Hull-Richter
Info on RISKS (comp.risks)

Treasury Office Faults IRS Computer Security

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 20 Oct 2008 15:55:16 PDT

Two new IRS computer systems that will eventually cost taxpayers almost $2
billion are being put into service despite known security and privacy
vulnerabilities, a Treasury watchdog said in a report coming out Thursday.
The office of the Treasury Inspector General for Tax Administration said
Internal Revenue Service officials failed to ensure that identified
weaknesses had been addressed before putting the new systems into use.
Inspector General J. Russell George said it was ''very troublesome'' that
the IRS ''was aware of, and even self-identified, these weaknesses.''

The IRS, in a statement, said security of taxpayer data ''is of paramount
importance'' to the agency and that, as noted in the report, it had
implemented many of its recommendations and taken steps to improve security.
It stressed that no taxpayer data has been harmed and numerous security
safeguards were in place.

The report focused on the Customer Account Data Engine, which will provide
the foundation for managing all taxpayer accounts, and the Account Management
Services system, which will provide faster and improved access by employees
to taxpayer account data.

Both systems are gradually being put into use. CADE, expected to cost more
than $1 billion through 2012 to develop and operate, this year processed
about 20 percent of the 142 billion returns filed. The Account Management
Services system, AMS, still in its initial stages, will cost more than $700
million to develop and maintain through 2024.  [Source: AP item, 16 Oct 2008]
  http://www.nytimes.com/aponline/washington/AP-IRS-Computer-Security.html


Springer: Open for all to see

<Debora Weber-Wulff <D.Weber-Wulff@fhtw-berlin.de>>
Sun, 19 Oct 2008 21:14:44 +0200

The German weekly magazine *Der Spiegel* 19 Oct 2008 reports on the data
protection problems that a large rival publishing house, Springer, has had
in the past few days.

It turned out that people who had submitted ads for their local ad papers
online had all of their data -- name, address, mobile telephone, bank
account info -- available online, helpfully indexed by Google.

It was especially problematic for people who had put in, shall we say,
rather delicate, anonymous ads.  One example was the retired gentleman
looking for men to play stripping card games with him; another person was
looking for a bisexual playmate.  And there they were, searchable and
unencrypted on the open Internet.

It was discovered by a system administrator who was doing an ego search in
September.  He was shocked to find his mobile telephone number cheerfully
delivered by Google.  He investigated and found the data to be from an ad he
had placed about a year and a half ago with a Springer newspaper for selling
his apartment.

Springer reacted quickly, removing the data, but it has taken ages to purge
it from the Googlebanks.  The system administrator is a bit angry at
Springer, as they have not offered to pay him damages for having to get a
new phone number.

I googled the admin's name, I still get a hit on "Visual Form Maker -
Adminscript" for the Hamburger Abendblatt, but the cache data is gone and
the Link only returns a 404.
http://www.hamburgerwochenblatt.de/php/edit_table.php?order=mwst&sort=ASC&sw=j&tbl=kleinanzeigen
The tool is advertised as offering forms for web pages that can be created
in an uncomplicated way for people without knowledge of programming.

Perhaps people who cannot program should not be entrusted with making forms
for web pages with sensitive data?

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313
Berlin GERMANY  +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/


TBS leaves baseball championship game viewers in the dark

<Jim Reisert AD1C <jjreisert@alum.mit.edu>>
Sat, 18 Oct 2008 23:05:40 -0600

Said the TBS network statement: "Two circuit breakers in our Atlanta
transmission operations tripped, causing the master router and its backup --
which are necessary to transmit any incoming feed outbound -- to shut down.
This impacted our live feed from being distributed to any of the other
networks in the Turner portfolio and caused the delay in our coverage.  Both
our primary and backup routers were impacted by this problem.  We apologize
to baseball fans for this mishap that caused a delay in our coverage."

According to Pomeroy, the failure of the routers was unprecedented and
prevented TBS from broadcasting a live message of any kind, including an
informational scrawl at the bottom of the screen.  Pomeroy said the network
had no choice but to put on taped programming, which resulted in "The Steve
Harvey Show" at least temporarily ending up in the slot reserved for Game 6.

http://www.boston.com/sports/columnists/massarotti/2008/10/tbs_leaves_viewers_in_dark.html

Jim Reisert AD1C/, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Drunk, and Dangerous, at the Keyboard (Alex Williams)

<Monty Solomon <monty@roscom.com>>
Sun, 19 Oct 2008 19:03:31 -0400

[Source: Alex Williams, *The New York Times*, 19 Oct 2008]

ANYONE who has spent more than a few minutes over the last couple of weeks
trolling tech blogs or cocktail lounges has probably heard about Mail
Goggles, a new feature on Google's Gmail program that is intended to help
stamp out a scourge that few knew existed: late-night drunken e-mailing.

The experimental program requires any user who enables the function to
perform five simple math problems in 60 seconds before sending e-mails
between 10 p.m. and 4 a.m. on weekends. That time frame apparently
corresponds to the gap between cocktail No. 1 and cocktail No. 4, when
tapping out an e-mail message to an ex or a co-worker can seem like the
equivalent of bungee jumping without a cord.

Mail Goggles is not the first case of a technology developed to keep people
from endangering themselves or others with the machinery of daily life after
they have had a few. For years, judges have ordered drunken-driving
offenders to install computerized breath-analyzers linked to their car's
ignition system to prevent them from starting their vehicles when
intoxicated.

But as the first sobriety checkpoint on what used to be called the
information superhighway, the Mail Goggles program also raises a larger
question: In an age when so much of our routine communication is
accomplished with our fingertips, are we becoming so tethered to our
keyboards that we really need the technological equivalent of trigger locks
on firearms?

In interviews with people who confessed to imbibing and typing at the same
time - sometimes with regrettable consequences - the answer seems to be
yes. ...

http://www.nytimes.com/2008/10/19/fashion/19drunk.html?partner=rssuserland&emc=rss&pagewanted=all


Thousands Face Mix-Ups in Voter Registrations

<technews@HQ.ACM.ORG>
Mon, 20 Oct 2008 13:20:51 -0400

[Source: Mary Pat Flaherty, *The Washington Post*, 18 Oct 2008, P. A1,
from ACM TechNews, Monday, October 20, 2008]

New state voter registration systems across the U.S. are incorrectly
rejecting voters and threatening to disrupt the election process.  The
problems are occurring in states that switched from locally managed lists of
voters to statewide databases, a change required by the Help America Vote
Act.  Although the switch is supposed to be a more efficient and accurate
way to keep lists up to date, the transition is causing the systems to
question the registrations of thousands of voters when discrepancies occur
between their registration information and other official records.  In
Alabama, for example, dozens of voters are being labeled as convicted felons
due to incorrect lists, and Michigan is scrambling to restore thousands of
names it illegally removed from voter rolls due to residency questions.  In
Wisconsin, tens of thousands of voters could be affected, as officials admit
that their database is wrong one out of every five times it flags a voter,
often due to data discrepancies such as a middle initial or a typo in a
birth date.  Herbert Lin, who is studying the issue for the federal Election
Assistance Commission, says that states are not using the "best scientific
knowledge known today," as required by law.  One of the problems with
Wisconsin's database, which has been in place since August, is that 95,000
voters are incorrectly listed as being 108 years old.  If no birth date was
available when names were moved into the electronic system, it automatically
assigned 1 Jan 1900.  By federal law, anyone whose name is flagged must be
notified and given a chance to prove his or her eligibility, but voting
rights experts say voters are not always alerted, and some, even if they are
notified, may simply decide to skip the election as a result.
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/17/AR2008101703360.html


Ohio Secretary of State's Web Site Hacked; voter suppression tactics

<Steve Kelem <steve@kelem.net>>
Tue, 21 Oct 2008 10:25:49 -0700

Ohio Secretary of State Jennifer Brunner cut back on the accessible
functionality of their website after apparent penetration efforts.  This was
reportedly not the first such attack.  [Source: Sarah Lai Stirland, WiReD
blog, 20 Oct 2008]
http://blog.wired.com/27bstroke6/2008/10/ohio-secretary.html


From BBV: Two-Minute warning on voting machines

<Steve Kelem <steve@kelem.net>>
Tue, 30 Sep 2008 10:23:53 -0700

This message is from Black Box Voting, a non-profit that monitors voting
irregularities and fraud.  Steve Kelem, Los Altos Hills, CA

- ------ Original Message --------
Subject:        From BBV: Two-Minute warning on voting machines [...]
Date:   Thu, 11 Sep 2008 02:55:21 -0700
From:   Black Box Voting <blackboxvoting@worldnet.att.net>

TWO-MINUTE WARNING ON VOTING MACHINES: Welcome to "SPEED VOTING"

Permission to reprint or excerpt granted, with link to blackboxvoting.org

Diebold/Premier says it's too late to fix a new voting machine 2-minute
warning and "time-out" feature, which can kick voters off the machine,
forcing them to accept a provisional ballot.  At least 15 voters were booted
off the machine in Johnson County, Kansas recently, and Diebold/Premier says
this is due to a software upgrade which sets a timer on voter inactivity.
According to the company, the machines receiving the upgrade are used in 34
states and 1,700 jurisdictions.*

* This seems inflated, though. Unless the optical scan machines are also
  outfitted with a 2-minute warning, which doesn't make sense, it would seem
  that this should only apply to the DRE states and locations.


Unbelievable security violation

<[Identity withheld]>
Fri, 17 Oct 2008 23:56:36 -0400

My cable TV provider allows on-line access to accounts and major changes to
services can be made on-line.  If you forget the password, you can request a
reset.  They reset and e-mail you the temporary password.  This is done by
many and is reasonable.  However, this hi-tech company mails out the same
password every time -- the name of the company.  That means that I can
attempt to login as an "enemy", claim that I have forgotten the password.
They mail him the temporary password but I already know what it is.  After a
brief pause while they send him an e-mail, I log in with the universal
password and change it.  I can then do things like order services, cancel
services, etc.  and, in general, be a real pest.  The true owner cannot
login and will have just received a misleading message telling him to use
the new temporary password.

Talk about dumb!


Re: More Password Reset Procedures

<[identity withheld]>
02 Oct 2008

The Civil Air Patrol, an auxiliary of the US Air Force, runs a website where
members can access their membership and qualification status. Of course it
is password protected, and of course I had forgotten mine.

The site provides the normal "forgot your password?" link which takes you to
a page where you enter your member number and email address, and then a
"submit" button that is supposed to trigger an email with your login
details.

This submit button, however, triggered an obscure and lengthy error message,
something to do with the output of the server can't be parsed maybe because
of println's or whatever. I am a webmaster for several sites and even I
couldn't figure out exactly what it was complaining about. In any case, it
wasn't working.

Before I continue, let me add that in the process of logging in members are
reminded of a recent administrative requirement to take a brief online
course on OPSEC (operational security) and agree to the OPSEC
rules. Apparently, someone had released the new radio frequency lists, which
had been changed because the old lists were publicly available. I took the
online course (it did not require logging in!) and submitted a form with the
"I agree to abide by the OPSEC requirements" box checked.  In brief, I
agreed not to tell things to people who didn't need to know them.

I went to the helpdesk page and submitted a problem report. In the
problem report I had to enter both my member number and email address.
That's the same data the "forgot password" form required.

In response, I was requested to provide my SSN and another piece of
information. The request arrived by email, but with instructions not to
answer by email, but to POST THIS INFORMATION AS A RESPONSE ON A PROBLEM
REPORT WEBPAGE. A web page that required no login to reach. My response was
"yeah, right."

By e-mail, I received a followup response. "Please provide your daytime
phone number and we will call you to get the information."

Keep in mind, this is an auxiliary to the US Air Force, a government
operation, at a .mil address, where I had just been required to certify that
I would follow OPSEC rules to protect their data. They expected that I would
tell my SSN to anyone who calls on the phone asking for it.  I don't tell
the magazine subscription people my true "month of birth" or other bit of
personal data they want to "verify they'd spoken to me", I sure as heck am
not going to tell Joe Random Caller my SSN. (But this is the same CAP that
routinely sells my membership data to credit card companies, who want me to
get my special "CAP logo credit card" at their special usurious rate.)

In my response I asked first if they were kidding me, or if this was some
kind of test to see if I understood the meaning of OPSEC. I pointed out that
the "forgot password" page required only my id number and email address,
both of which they already had, and maybe they should just trigger the
"forgot password" action using the data they already had.  They had no need
for anything more. Or, barring that, fix the original problem and I would
get the update myself.

This response got me passed off to someone else who realized (I hope) the
stupidity of what they had asked me to do, or at least the futility (I
expect) of getting me to cooperate, and an email with my login credentials
arrived shortly thereafter.

The final nail? They did not reset my password to a new value and then force
me to change it upon the next login. They sent me my EXISTING PASSWORD IN
PLAINTEXT. WITH MY USERNAME.

This is YOUR government at work, folks.


Risks: Unlock your house via the Internet

<Gabe Goldberg <gabe@gabegold.com>>
Thu, 16 Oct 2008 21:51:22 -0400

What could possibly go wrong?
http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-internet


Re: Remarkable -- United Airlines Stock (Nelson, RISKS-25.38)

<Martin Gregorie <martin@gregorie.org>>
Wed, 15 Oct 2008 00:42:46 +0100

Russ Nelson is correct in supposing that automated trading takes place, but
I think he has his trading operations backward: surely its 'sell' if the
price exceeds an upper limit and 'buy' if its below the lower limit.  After
all, the purpose of the program is to make money, not to give it away!

The usual term for his "mean people" is short sellers. They don't need money
to operate: if they are well regarded enough, many markets will let them
sell what they don't have in the expectation that the price will drop and
they can then acquire the stock at a lower price before they have to
complete the bargain by delivering it to the purchaser.  Needless to say, if
they go short on a large enough amount of stock, the expected price fall
becomes a self-fulfilling prophesy.

A similar thing happened in Australia during the Poseidon bubble, when more
shares than existed in a mining stock were short sold when the bubble burst,
but there was no bail-out for those gamblers. Trading in the stock was
suspended and the short sellers were forced to complete their bargains no
matter how much money they lost in the process.  Needless to say, the
stockholders made a killing and the short sellers lost their shirts. Then
short selling was banned completely and trading resumed.


Re: Outliers

<Jurek Kirakowski <jzk@ucc.ie>>
Mon, 20 Oct 2008 12:11:06 +0100

Outliers have been mentioned recently (25.37 and 25.39). One should take
care to distinguish between an outlier and an unexpected reading.

1. When the target is moving, you can never be sure whether an unexpected
  reading is an error (therefore trim it) or true but the start (worsening,
  etc.) of a trend. Making *either* assumption on a priori grounds can be
  dangerous to your health and is risky.

2. When the target is static and the measurement process is relatively
  uncontaminated then you may use the normal distribution assumptions
  -- variation is error -- and identify unexpected readings as "outliers" (ie
  you claim to know the distribution and therefore can consider this reading
  "lies outside.") But the onus is on you to establish the two first
  conditions are met. Not to do so is also risky.

Ratings from a dozen or so judges, some of which may be biased either way?
Simple. Use medians. If there is no bias then the mean = median. If there
is, the median process removes the biases (including the horrible thought
that there may be a coalition of judges.)


Re: Investigator: Computer likely caused Qantas plunge (RISKS-25.38)

<"Rieden, Peter (UK)" <Peter.Rieden@baesystems.com>>
Fri, 17 Oct 2008 12:14:59 +0100

Perhaps this should be re-titled "Risk of Inflammatory reporting".

To quote from the piece:
1. "A faulty computer unit likely caused a Qantas jetliner to experience
   two terrifying midair plunges within minutes last week"
2. "and then went into a nose-dive, dropping about 650 feet in 20 seconds"

A 650-foot drop in 20 seconds gives a vertical velocity of 22mph. Taking a
conservative estimate of cruise speed at 600mph, simple geometry tells us
that this "terrifying mid-air plunge" amounted to a 2.1 degree dive -
something which even the most attentive of passengers would be unlikely to
have noticed. Whilst I fully accept that the failure to hold altitude has
significant concerns for air-traffic safety, I suggest that this "terrifying
plunge" stuff is tabloid baloney which should be ridiculed rather than
repeated.


Re: Investigator: Computer likely caused Qantas plunge (RISKS-25.38)

<Ron Garret <ron@flownet.com>>
Thu, 16 Oct 2008 11:40:52 -0700

It should be pointed out that these rates of descent (~2000 fpm) are quite
typical for a jetliner even during normal operation.  Even a small plane can
safely descend at these rates, though that would feel fairly dramatic.


Re: Sydney NS vs. Sydney NSW (Schafer, RISKS-25.38)

<Chuck Charlton <charlton@gmail.com>>
Tue, 14 Oct 2008 20:21:28 -0700

The three-letter codes for those two airports are SJC and SJO respectively.
My sister once booked the wrong one.  I told her that she should have just
flown into SFO.  [Chuck Charlton, San Francisco]


Re: Illinois high-speed trains (RISKS-25.38)

<Joseph Brennan <brennan@columbia.edu>>
Tue, 14 Oct 2008 20:38:05 -0400

> The improved technology will also boost train speeds from 79 m.p.h.

Cool.  The reason this will allow train speeds above 79 m.p.h is that the
Interstate Commerce Commission made a rule in *1922* that required cab
signals like this for speeds of 80 and up.
<http://en.wikipedia.org/wiki/Cab_signalling>

Joseph Brennan, Columbia University Information Technology


Re: Risks of a new laptop (Brown, RISKS-25.38)

<SMiller@unimin.com>
Tue, 14 Oct 2008 17:03:43 -0400

There seem to be a number of unfounded or otherwise curious assumptions in
M. Brown's inquiry.  Regarding items 2 & 3 - Dell is re-labeling Absolute
Software's (http://www.absolute.com/) Computrace service, which I happen to
use extensively on behalf of my employer.  A Computrace equipped laptop will
attempt to "phone home" via Internet connection once per day.  Obviously,
there does need to _be_ a connection.  The computer is identified via an ESN
(a 16 x 36-value [0-9; A-Z] unique string assigned by Absolute when the
product is registered).  The ESN is correlated in Absolute's database with
the hardware MAC address and other hardware items to establish a
"fingerprint" for the computer.  Regarding relationships with law
enforcement, Absolute does pretty well, in my experience.  The issue in
recovery lies mostly with the requirements to have a judge authorize a
search warrant (or local equivalent) to serve on the ISP, and yet again for
the physical location of the stolen computer.  That can be a pain, but to
make it easier would only further threaten our Liberty; I recommend leaving
that as is, thank you very much.  A small piece of Computrace code that is
capable of reinstalling the main program at next Internet connection is
loaded on ROM on compatible (all Dells, most models of other brands)
computers.  So the hard drive may be formatted or replaced and the tracking
program will reinstall itself.  A computer was stolen from my employer's
premises in 2006, and the very first thing that the thief did was swap out
the hard drive.  That computer was calling in again within 36 hours.
Regarding Data Delete, see the above constraints on computer identification.
In addition, Absolute requires that computer owners pre-register any
administrators to be authorized for Data Delete (at a substantial cost per
admin), and the log in requires two factor authentication using a password
and a time-based RSA key issued to registered admins.  Lastly, initiating
Data Delete costs 250 USD, and Absolute wants assurance about where the
money is coming from before they nuke the computer.  Is it impossible that a
black hat could maliciously trigger this function?  Hardly, but there would
seem to be many ways to inflict equivalent damage that are a darned sight
easier (not to mention cheaper) to effect.  I am mystified why any thinking
human would assume that it was impossible for data to be stolen before the
Data Delete function was invoked.  I wouldn't, and Absolute has never stated
or implied otherwise (although it sadly doesn't much surprise me to find
that Dell seems to have dumbed down the description of the service).  So the
alternative of giving a potential data hijacker an unlimited time window to
conceive of and execute theft of data is preferable to an imperfect,
less-than-real-time deletion in exactly what way?  Regarding the certified
destruction of data (#4), I can't quite make out whether M. Brown is trying
to belittle the perceived need for this service, or its implementation by
Dell.  We also use this service as part of Dell's Asset Recovery Services,
of which the more important part to us is their certification that the
computer has been disposed of in compliance with all applicable
environmental laws and regulations.  We do a 7-pass DOD wipe (DBAN) before
such a computer is sent to Dell, however the data destruction service does
provide some additional assurance in the event that our in-house wiping
procedure has quietly failed.  In the case of the typical consumer, the
admitted risk is no doubt offset by the probability that most users would
not know or care to even attempt to purge data on their own, and those who
did would probably do no more than a Windows delete operation on files.


Correction/disclaimer re unistable polyhedron

<Ken Knowlton <KCKnowlton@aol.com>>
Fri, 17 Oct 2008 21:37:21 EDT

  [... the 17-sided unistable uniform solid that will always roll over onto
  the same side ...  PGN]

Not quite. (1) The question, lying around for years, was "What convex
polyhedron with least number of faces, cut from uniform material, can be
demonstrated to be gravitationally stable on only one face? Mine had 19, not
17, faces. (2) on submitting this for publication, I learned that Richard
Guy already had the very same design in the galleys, with the presses
running, having found it two months earlier (he was gracious enough to say
that I had independently discovered it).

  [Ken, TNX for the correction.  Tangential to RISKS, but we always strive
  for correctness.  PGN]


Re: The folly of retaining default settings

<Mark Thorson <eee@sonic.net>>
Fri, 03 Oct 2008 15:24:39 -0700

Ken Knowlton incorrectly recounts Richard Feynman's exploits.  Feynman
opened the file cabinets by guessing that the combination chosen by Frederic
de Hoffman was based on a natural constant.  It was e (the base of the
natural logarithms).

The Captain's safe was opened by the Los Alamos locksmith, who told Feynman
how he did it.  He knew the default combinations were usually 25-0-25 or
50-25-50.  It was the latter.

You can read about it here:

http://www.gorgorat.com/

Search down for "Safecracker Meets Safecracker".


Re: D10T: National Debt Clock is out of digits (Brader, RISKS-25.38)

<MHR <mhullrich@gmail.com>>
Tue, 14 Oct 2008 13:34:54 -0700

If the clock is out of digits, can't they just print some more?

Mark Hull-Richter, Linux Software Developer, Registered Linux User #472807
[sign up at http://counter.li.org/]

Please report problems with the web pages to the maintainer

Top