The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 48

Thursday 18 December 2008

Contents

Computer problem shuts down Toronto Stock Exchange for a day
Mark Brader
"Smart" vehicles - do they introduce new risks?
Mike Martin
An old clock arithmetic problem
Kees Huyser
Another translation adventure
Hal Murray
Cute piece of malware engineering
Drew Dean
Thieves Winning Online War, Maybe Even in Your Computer
John Markoff via Monty Solomon
CheckFree DNS hijacked
Hal Murray
Software Security Top-10 Surprises
Gary McGraw via PGN
iPhone thief thwarted by MobileMe sync
Nick Rothwell
Risks of data retention
Mark Armbrust
Password complexity? Not wiith LinkedIn
Leon Kuunders
Teacher Throws Fit Over Student's Linux CD
Mike Rechtman
FYI - !b404
Rob Slade
"Helpful" authentication
Erling Kristiansen
The Perfect Law: Re: Dangerous Precedence Set
Martin Ward
REVIEW: "The Business Privacy Law Handbook", Charles H. Kennedy
Rob Slade
Info on RISKS (comp.risks)

Computer problem shuts down Toronto Stock Exchange for a day

<msb@vex.net (Mark Brader)>
Thu, 18 Dec 2008 16:23:48 -0500 (EST)

This is not what it usually means to say "the stock market was down"
or "the stock market crashed"!

Yesterday the Toronto Stock Exchange (TSX) and the affiliated TSX
Venture Exchange were open for only 18 minutes after early trading
revealed a problem with the quotes being sent out.  This was reported
as a "network firmware issue" that "resulted in complications with
data sequencing"; the backup system also failed.

The problem was not rectified until late enough in the afternoon
that it had already been decided to close for the day.

See:  http://www.cbc.ca/money/story/2008/12/18/tsxresumption.html

Mark Brader, Toronto, msb@vex.net | "Fast, cheap, good: choose any two."


"Smart" vehicles - do they introduce new risks?

<"mike martin" <mke.martn@gmail.com>>
Sun, 14 Dec 2008 10:56:48 +1100

The Economist reports this week on technology-based measures that vehicle
manufacturers are introducing to prevent or ameliorate traffic accidents:

"Many of these safety systems at first give warning of impending danger
before taking over. Despite that potential delay they still provide what
Rodolfo Schöneburg, Daimler's head of passive safety, has described as an
"electronic crumple zone": applying the brakes a bit late rather than not at
all will at least reduce the impact of a collision.

"Yet sometimes there is no room for any delay in avoiding an accident, for
instance when a vehicle jumps a stop sign at a busy junction. This means
safety systems will need to become even more autonomous in order to act
faster -- faster, probably, than people can. But because cars will be acting
independently of each other, this raises safety concerns of its own.

"Researchers worry, for example, about what might happen if a child ran into
a busy road. If one car automatically slammed on its brakes and swerved, it
could prompt others to take evasive action. The result of all these
automatic, independent decisions could be a pile-up causing more deaths,
injuries and damage than there would have been had drivers remained in
charge. So some researchers are now looking at ways in which vehicles could
co-ordinate their crash-avoidance manoeuvres. This means that in an
emergency cars would have to tell each other at once what they were about to
do, says Thomas Batz of the Fraunhofer Institute for Information and Data
Processing in Karlsruhe, Germany."
http://www.economist.com/science/displaystory.cfm?story_id=12758720

Collision avoidance (TCAS) technology has been generally beneficial in
aircraft, although the 2002 mid-air collision of two planes over Switzerland
resulted from conflict between a TCAS instruction and one from an air
traffic controller ("July 2002 air collision revisited", RISKS-23.23
<http://catless.ncl.ac.uk/Risks/23.23.html#subj1>).  However motor vehicle
drivers rarely have the same degree of training in how to handle emergencies
as airline pilots. A study by an Australian university found that while
vehicles equipped with ABS (anti-skid) brakes were less likely to be
involved in multi-vehicle crashes compared with the same models lacking ABS
brakes, they were 35% over-involved in single-car accidents,
http://www.racv.com.au/wps/wcm/connect/Internet/Primary/my+car/car+safety/safety+equipment/brakes/ABS/.

Advanced technology protection systems may confuse drivers not used to their
action in an emergency or may cause them to become over-confident and take
risks that they otherwise would not. Paying hundreds, or perhaps thousands,
of dollars extra for technology that allows a driver to feel safer may not
result in that driver actually being safer. I haven't even started to
speculate on risk of software defects in these systems.


An old clock arithmetic problem

<Kees Huyser <kees.huyser@nikhef.nl>>
Tue, 9 Dec 2008 09:39:56 +0100

  [Re: Risks of assuming constant hours in a day (Sampson, RISKS-25.47)]

About 20 years ago my then-boss discovered a systematic difference in the
time accounting software that was running on our mainframe computer.  This
accounting software would calculate for what length of time a user had been
using a given resource on the computer.

The computer was running Unix and, since we had a source license, the boss
started digging into the source code.  He eventually found the error not in
the accounting software, but on a lower level in the operating system where
a programmer in the USA had assumed that the whole world did things the way
they were done in America.

The error?  Seconds = Hertz

  [I presume that programmer would have been "in Dutch" with your then-boss,
  with some frequency!  PGN]


Another translation adventure

<Hal Murray <hmurray@megapathdsl.net>>
Thu, 11 Dec 2008 15:33:18 -0800

One of Europe's most prestigious scientific journals, the *Max Planck
Forschung* (Research) journal had a special issue on China.  The cover art
in the German language edition was supposed to be an example of Chinese
calligraphy, a poem, but actually was an ad for a Hong Kong strip joint.
(It had been allegedly vetted by a respected Sinologist.)  In the online and
subsequent English print versions, the cover art was replaced with
calligraphy written by a 16th-century Jesuit titled Illustrated Explanations
of Strange Devices, as shown in the website, which also provides some
translations of the original.  [PGN-ed]

http://www.smh.com.au/news/home/technology/eminent-scientific-journal-gets-hit-for-sex/2008/12/11/1228584998876.html


Cute piece of malware engineering

<Drew Dean <ddean@csl.sri.com>>
Tue, 9 Dec 2008 11:21:25 -0800

Recently, I've been receiving a number of obvious spams with a ZIP file
attached, the zip file name being <my email address>.zip.  Today, for
amusement, I saved the download to take a look at it: there was one file in
the ZIP archive, named with my email address: ddean@csl.sri.com .  The Unix
file(1) program told me everything I needed to know: it's a Windows
executable.  Now, the .COM extension denotes an ancient MS-DOS executable
file format, which, IIRC, is restricted to 64KB of code and data, etc.  (The
file in question is 28KB or so, UPX compressed [whatever that is].)

But that's a beautiful attempt at social engineering: most people probably
don't remember .com being an executable file format, and what harm could a
file named with your email address do?  Not having Windows handy, I couldn't
easily find out, nor would I want to in any case....


Thieves Winning Online War, Maybe Even in Your Computer (Markoff)

<Monty Solomon <monty@roscom.com>>
Tue, 9 Dec 2008 23:15:51 -0500

John Markoff, *The New York Times*, 6 Dec 2008

Internet security is broken, and nobody seems to know quite how to fix it.

Despite the efforts of the computer security industry and a half-decade
struggle by Microsoft to protect its Windows operating system, malicious
software is spreading faster than ever. The so-called malware
surreptitiously takes over a PC and then uses that computer to spread more
malware to other machines exponentially.  Computer scientists and security
researchers acknowledge they cannot get ahead of the onslaught.

As more business and social life has moved onto the Web, criminals thriving
on an underground economy of credit card thefts, bank fraud and other scams
rob computer users of an estimated $100 billion a year, according to a
conservative estimate by the Organization for Security and Cooperation in
Europe. A Russian company that sells fake antivirus software that actually
takes over a computer pays its illicit distributors as much as $5 million a
year.

With vast resources from stolen credit card and other financial information,
the cyberattackers are handily winning a technology arms race.

"Right now the bad guys are improving more quickly than the good guys," said
Patrick Lincoln, director of the computer science laboratory at SRI
International, a science and technology research group.

A well-financed computer underground has built an advantage by working in
countries that have global Internet connections but authorities with little
appetite for prosecuting offenders who are bringing in significant amounts
of foreign currency. That was driven home in late October when RSA
FraudAction Research Lab, a security consulting group based in Bedford,
Mass., discovered a cache of half a million credit card numbers and bank
account log-ins that had been stolen by a network of so-called zombie
computers remotely controlled by an online gang. ...

http://www.nytimes.com/2008/12/06/technology/internet/06security.html


CheckFree DNS hijacked

<Hal Murray <hmurray@megapathdsl.net>>
Mon, 08 Dec 2008 20:07:15 -0800

Hackers Hijacked Large E-Bill Payment Site

http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html

The attack, first reported by *The Register* began in the early morning
hours of 2 Dec 2008, when CheckFree's home page and the customer login page
were redirected to a server in the Ukraine.  CheckFree spokeswoman Melanie
Tolley said users who visited the sites during the attack would have been
redirected to a blank page that tried to install malware.

Digging Deeper Into the CheckFree Attack

http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_c
heckf.html?nav=rss_blog

The hijacking of the nation's largest e-bill payment system this week offers
a glimpse of an attack that experts say is likely to become more common in
2009.

A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that
CheckFree used to register its Web site name, told Security Fix Wednesday
that someone had used the correct credentials needed to access and make
changes to CheckFree's Web site records.

CheckFree controls between 70 to 80 percent of the U.S. online bill pay
market.  Still, the phishing angle suggests that the attackers managed to
phish not only an employee at CheckFree, but an employee who happened to
know the credentials needed to administer the company's site records.

- - - - - -

I can think of a couple of ideas that would help avoid disasters like this.

Spreading the word about this particular event is probably the most
important.  People need to understand why they are doing all the extra silly
work.

I think the registration update procedure for major domains should require
more than a simple web login.  One approach would be a phone call by the
registrar to a number setup out of band.  The cost would be minor since the
data doesn't change very often.

Of course, people with valuable passwords should take good care of them.
Using it on a Windows machine is obviously a high risk.  So is using a
system you aren't familiar with.

If I was paranoid enough, I'd probably store the password on paper and never
store it on a disk.  To do something that needs that password I'd boot a
system that runs from a CD.  If I had to use Windows, I'd use a system that
had been freshly installed and was behind a good firewall.  A good web proxy
and lots of logging might help.

How many other important passwords does a company like CheckFree have?


Software Security Top-10 Surprises

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 18 Dec 2008 14:04:03 PST

Gary McGraw <gem@cigital.com> thought RISKS readers might get a kick out of
an article just published by Gary, Brian Chess, and Sammy Migues:
  http://www.informit.com/articles/article.aspx?p=1315431


iPhone thief thwarted by MobileMe sync

<Nick Rothwell <nick@cassiel.com>>
Thu, 18 Dec 2008 16:14:55 +0000

"While at the dry cleaner one day, Rob's iPhone was stolen. He immediately
chalked it up as gone forever, and proceeded to purchase a brand new one
that same evening. It was the next day when unfamiliar contacts began to
appear on the new phone. The (not-too-bright) thief was unwittingly
supplying him with names and phone numbers of his or her closest friends,
via the magic of MobileMe synchronization from the stolen phone to the cloud
and eventually to his new phone."
  http://www.tuaw.com/2008/12/17/iphone-thief-thwarted-by-mobileme-sync/

Nick Rothwell / Cassiel.com Limited  www.cassiel.com


Risks of data retention

<Mark Armbrust <mark.armbrust@pobox.com>>
Thu, 18 Dec 2008 14:17:58 -0700

I received a phone call yesterday morning from Fed Ex Freight confirming
that I had equipment available to unload the 28 foot beam that they were
delivering today.  My name, my cell phone number, my home address.

Well, I'm happy they called to make sure I can get my load off the flatbed
truck that's delivering it, but there's a small problem -- this is not my
order.  I've never hear of the shipper, some redwood products company in
California.

I haven't heard anything more from Fed Ex so I assume they figured out where
this beam was supposed to go.

I had some furniture shipped by Fed Ex Freight earlier this year.  A one
time shipment that was arranged by the furniture vendor with shipping fees
paid through the vendor.

I'm assuming that an account was created for the destination address for my
shipment, and that account still exists and somebody at Fed Ex mistyped the
account number for the actual destination and got my (should have been
temporary) account number and the beam made an erroneous 1200 mile trip to
Colorado.

Two things are fairly obvious:
 o One-time accounts should be very hard, if not impossible, to reuse.
   They should also have short purge times.
 o Account numbers should have check codes to preclude typical entry
   errors like transpositions and off by ones.

I wonder where that beam was supposed to go!
I wonder if I'll get a bill for the shipping!


Password complexity? Not wiith LinkedIn

<Leon Kuunders <leon@kuunders.info>>
Fri, 12 Dec 2008 10:30:59 +0100

The social network website LinkedIn is very well known. It is the place
where professionals meet and extend their networks. Just as other social
network sites the LinkedIn network offers third parties the ability to add
applications to their framework. Their are API's for Amazon, Huddle, Google
and also one for Slideshare.net. This last website offers you the
possibility to publish your presentations online.

When you add the Slideshare API to your LinkedIn profile you are able to
connect your Slideshare account to your LinkedIn profile. The way it works:
you enter your user-id and password of Slideshare into a box, and presto!
your Slideshare profile is Linked.

I tried it several times but failed. Somehow the system kept telling me that
my user-id and/or password did not match the ones used at Slideshare.  First
I wondered: is it my username ("leon") which has too few characters? But
then it occurred to me: it was the "complexity" of my password that caused
the problems.  My password (generated with a password generator) was
"az<VK/gq#".

Notice the "<" sign?

The risks: a chain is as strong as the weakest link (..edIn).

leon@kuunders.info  http://xri.net/@trusted-id/leon  skype://leonkuunders


Teacher Throws Fit Over Student's Linux CD

<Mike Rechtman <mike@rechtman.com>>
Sat, 13 Dec 2008 15:58:31 +0200

http://austinist.com/2008/12/10/aisd_teacher_throws_fit_over_studen.php

Free? - That's illegal!

A teacher has thrown a student into detention and threatened to call the
police for using Linux in her classroom.

The teacher spotted one of her students giving a demonstration of the HeliOS
distro to other students. In a somewhat over-the-top reaction, she
confiscated the CDs, put the student on detention and whipped off a letter
to the HeliOS Project threatening to report it to the police for
distributing illegal software.

Home: http://alpha.mike-r.com/ QOTD: http://alpha.mike-r.com/php/qotd.php


FYI - !b404

<Rob Slade <rMslade@shaw.ca>>
Wed, 10 Dec 2008 17:37:33 -0800

An interesting study.  As one who has published an infosec dictionary, I've
seen, first hand, how fast our technical jargon has changed (and often
degraded).  The effect of the technology, and the pervasive nature of the
changes, is intriguing.

Highlights:
 - new communications technology, particularly text messaging abbreviations
   (textese), creating new terms entering the language
 - errors by the technology ("predictive" numeric keypad text interpretation
   of "book" instead of "cool") creating new slang (book now means cool or
   good) *
 - terms from local technologies (the Oyster card error codes) are entering
   the language more broadly
 - testese messages take longer to read, and generate more errors

http://news.bbc.co.uk/2/hi/technology/7775013.stm
ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf

(Unfortunately, a link to the Australian study seems to be missing.)

Relevance to security?  Well, I don't agree with the final statement in the
BBC story.  Any change to the language that increases the error level in
communications has got to be dangerous.

* I've heard my grandkids say this, and wondered where it came from.  The
technical reasons for this are fascinating in themselves.  Predictive typing
technology is based on the numeric keypad equivalent of words, and is based
on the frequency of word usage in English.  "Book" and "cool" are equivalent
(2665) on a numeric keypad.  In general English, book is going to be the
more widely used word, and so the algorithm chooses book first when you type
2665.  However, textese is used by teens much more widely than by the rest
of the population, and I am morally certain that teen textese uses cool much
more frequently than it uses book.

I am also interested in competition in terms of the acronyms.  LAMP has been
widely used in technical (and particularly online) circles to refer to the
use of Linux, Apache, MySQL, and PHP/Python/Perl for the creation of
Websites.  It is interesting to note a completely different use of LAMP in
the financial arena.  (We already have a similar confusion of SOA depending
upon whether the speaker is from the BS 7799/ISO 27K community [statement of
applicability, aka scope] or the ITIL tribe [service oriented
architecture].)

rslade@vcn.bc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/


"Helpful" authentication

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Fri, 12 Dec 2008 17:06:08 +0100

I phoned my credit card company.

After giving my name and address, the following conversation took place:

  Credit card guy: Please give me you date of birth for authentication.

  Me: <my date of birth>

  Credit card guy, sounding genuinely surprised: Strange, I have a
  completely different date. I have <another date>.

  Me: That's my wife's date of birth.

(which is true, but he couldn't really know that, my wife hasn't got a card
with that company; I could have said that to whatever date he had given me).
This seemed to satisfy him, and we proceeded with the business I called
about.


The Perfect Law: Re: Dangerous Precedence Set

<Martin Ward <martin@gkc.org.uk>>
Tue, 9 Dec 2008 11:34:02 +0000

(Re: Federal Criminal Charges for Violation of Commercial Online ToS?)

>From the government's point of view, the "Perfect Law" is one which
everyone has broken. With this law, anyone the government does not like (for
whatever reason) can be arrested and imprisoned.

>From the citizen's point of view, such a law means the end of the rule of
law.  You are now living in a tyranny: any criticism of the government could
land you in jail with no recourse.

"But," you protest, "I haven't violated the Terms of Service of any web
site!"  What about that government-run web site which just about everyone in
the country is required to sign up for. On page 16 of the voluminous Terms
of Service is a poorly-worded note to the effect that anyone who criticises
any action of the government is in violation of the Terms of Service of this
web site.

martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/


REVIEW: "The Business Privacy Law Handbook", Charles H. Kennedy

<Rob Slade <rMslade@shaw.ca>>
Thu, 18 Dec 2008 12:18:25 -0800

BKBUPRLH.RVW   20081123

"The Business Privacy Law Handbook", Charles H. Kennedy, 2008,
978-1-59693-176-3, U$109.00
%A   Charles H. Kennedy ckennedy@mofo.com
%C   685 Canton St., Norwood, MA   02062
%D   2008
%G   978-1-59693-176-3 1-59693-176-0
%I   Artech House/Horizon
%O   U$109.00 617-769-9750 800-225-9977 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931760/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1596931760/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931760/robsladesin03-20
%O   Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   312 p.
%T   "The Business Privacy Law Handbook"

The preface states that this is a survey of business privacy law in
the United States, and the changes that field is undergoing, intended
for business managers and those advising them.  The introduction is
rather interesting: on the one hand, it lays out a five-step process
to guide the task of ensuring compliance with privacy regulations, and
on the other, it points out how complex this undertaking is, in the
labyrinthine legal environment of the US.

Part one addresses issues of information relating to consumers and
customers.  Chapter one deals with information collected on the Internet and
through Websites.  As the US has no general national standards in this
regard, most of the discussion deals with the design of corporate privacy
policies for Websites.  There is also an examination of the Children's
Online Privacy Protection Act (COPPA).  Various US and state laws with
implications for general information security and protection are noted in
chapter two, which also has a brief section on information risk
identification.  Legislation relating to companies in the financial industry
are reviewed in chapter three.  Chapter four notes the provisions of the
Electronic Communications Privacy Act, the Stored Communications Act, and
special provisions for communications carriers.  The implications of HIPAA
(the Health Insurance Portability and Accountability Act) for the health
industry are outlined in chapter five, which also notes some related state
laws.  Although ostensibly about the European Union privacy directives, the
rather terse material in chapter six is more about the Safe Harbor framework
of the US Department of Commerce.

Part two looks at job applicants and employees.  Chapter seven is a
brief review of the hiring process, and it is interesting to note that
the common opposition (by employers) to providing detailed references
has little objective basis.  The examination of internal
investigations, as discussed in chapter eight, is limited, and repeats
content from chapter seven.  Chapter nine's deliberation on
surveillance is primarily concerned with tapping of phone and email
conversations.

Part three turns to communications with customers and consumers, with
three successive chapters on marketing types of intercourse;
telemarketing (in chapter ten), fax advertising (eleven), and spam
(twelve).  Chapter thirteen, on the monitoring of customer
communications, is a mere three paragraphs in total length, and is a
reiteration of some of the content of chapter nine.

Appendices list state privacy and data security laws.

It is unfortunate that the title does not make clear the US-centric
nature of the material, but it is reasonable for a legal text to
concentrate on one jurisdiction.  Despite occasional shortcomings in
specific areas, this text does provide a detailed, up-to-date and
quite comprehensive overview of the convoluted mess of American
privacy law.

copyright Robert M. Slade, 2008   BKBUPRLH.RVW   20081123
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/

Please report problems with the web pages to the maintainer

Top