The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 49

Tuesday 30 December 2008

Contents

Three undersea cables cut
Dave Burstein via Dave Farber
Risks of flawed default behavior for your UAV
John O Long
Risks of excessive State data collection
Toby Douglass
Fun with speed-trap cameras for revenge
Arthur T.
David Hollman
No-Name
Trust me, I have a cert!
David Lesher
Massive Embezzlement Case Involving Fry's Electronics
Lauren Weinstein
Fired Fry's executive: 'Caught up in the game'
Lisa Fernandez and Julia Prodis Sulek via Monty Solomon
In Move to Digital TV, Confusion Is in the Air
Eric A. Taub via Monty Solomon
VHS Rides Off Into The Sunset
Geoff Duncan via Monty Solomon
Inauguration Cellular Overloads
David Lesher
Automatic URL recognition
Bill Hopkins
Shooting Yourself in the Foot - on purpose?
Marc
Another method to lose yout credit card
Erich Neuhauser
Re: Cute piece of malware engineering
Paul Robinson
Re: Teacher Throws Fit Over Student's Linux CD
Kelly Bert Manning
How to become a digital forensic evidence expert
Fred Cohen
Info on RISKS (comp.risks)

Three undersea cables cut (via Dave Farber's IP)

<Dave Burstein <daveb@dslprime.com>>
December 19, 2008 11:27:46 AM EST

Traffic greatly disturbed between Europe and Asia/Near East zone

> From: France Telecom / Press <infos.group@orange-ftgroup.com>
> To: France Telecom / Press <infos.group@orange-ftgroup.com>
> Subject: Three undersea cables cut: traffic greatly disturbed
>   between Europe and Asia/Near East zone
> Date: Fri, 19 Dec 2008 17:09:03 +0100 (CET)

http://www.orange.com/en_EN/press/press_releases/cp081219en.html

Paris, 19 Dec 2008
France Telecom Marine cable ship about to depart

France Telecom observed today that 3 major underwater cables were cut: Sea
Me We 4 at 7:28am, Sea Me We3 at 7:33am and FLAG at 8:06am.  The causes of
the cut, which is located in the Mediterranean between Sicily and Tunisia,
on sections linking Sicily to Egypt, remain unclear.

Most of the B to B traffic between Europe and Asia is rerouted through the
USA.  Traffic from Europe to Algeria and Tunisia is not affected, but
traffic from Europe to the Near East and Asia is interrupted to a greater or
lesser extent (see country list below).  Part of the internet traffic
towards Reunion is affected as well as 50% towards Jordan.  A first
appraisal at 7:44 am UTC gave an estimate of the following impact on the
voice traffic (in percentage of out-of-service capacity):

 - Saudi Arabia: 55%
 - Djibouti: 71%
 - Egypt: 52%
 - United Arab Emirates: 68%
 - India: 82%
 - Lebanon: 16%
 - Malaysia: 42%
 - Maldives: 100%
 - Pakistan: 51%
 - Qatar: 73%
 - Syria: 36%
 - Taiwan: 39%
 - Yemen: 38%
 - Zambia: 62%

France Telecom immediately alerted one of the two maintenance boats based in
the Mediterranean area, the Raymond Croze. This France Telecom Marine cable
ship based at Seyne-sur-Mer has received its mobilization order early this
afternoon and will cast off tonight at 3:00 am with 20 kilometers spare
cable on board. It should be on location on Monday morning for a relief
mission.  Priority will be given to the recovery of the Sea Me We4 cable,
then on the Sea Me We3.  By December 25th, Sea Me We4 could be operating. By
December 31st, the situation should be back to normal.


Risks of flawed default behavior for your UAV

<John O Long <j1long@us.ibm.com>>
Tue, 30 Dec 2008 14:18:10 -0500

The Homesick UAV, 29 Dec 2008, http://www.strategypage.com:

In 2007, Ireland bought two Israeli Orbiter UAV systems, for $550,000 each.
They had lost two of their six UAVs in Chad, where a battalion of Irish
peacekeepers are operating. The second one UAV casualty apparently tried to
fly back to Ireland, after it lost its communications link with the
operator. The Orbiter is programmed to head back to the operator if it loses
its comm link. But this Orbiter apparently still had a GPS location back in
Ireland in its memory, and headed there. Since Ireland is 5,000 kilometers
from Chad, the Orbiter ran out of juice and landed about 4,800 kilometers
short of its goal.

The designers were trying to provide some appropriate default behavior in
case the UAV lost contact with its operator. This is good, and may not have
been a big deal in Israel, because most of its UAVs are operated near its
borders.  No one thought about the possibility of using the UAV far outside
a country's borders.  It should have recorded the original operator's
location in order to fly back to that location.

John O Long * Process Architect - IBM Tivoli Unified Process
919-224-1446 t/l 687-1446 * j1long@us.ibm.com

  [Erin go blagh?  Erin call home.  PGN]


Risks of excessive State data collection

<"Toby Douglass" <trd@45mercystreet.com>>
Tue, 30 Dec 2008 20:39:58 +0100 (CET)

A British Government report, funded by money taken through tax, argues for
speed limiting devices on cars. Argues it will reduce car accidents with
injuries by 29%.

http://news.bbc.co.uk/1/hi/uk/7803997.stm

First questions; 29% of what? what's the period which is being used to
compare against? is it representative? does it just include cars, or
lorries? does it include all roads, everywhere, or just (say) cities? what
about accidents with fatalities? what about the additional accidents which
will happen now, where people previously managed to escape by accelerating
out of danger? how do they figure that accidents would be reduced anyway?
I'm kinda wondering if they just took existing car accident statistics (how
accurate are they? on what basis are they calculated?), looked at those
accidents which happened where speeding was involved, and applied some sort
of reducing factor they constructed.

What about accidents which would have happened anyway, even if they cars had
been doing the local speed limit? presumably this was accounted for in their
reducing factor? if so, by how much? how do you decide what reduction to
use?

It works like this; each car has a GPS unit. Each car has a speed-limiting
unit, which contains a map of the roads in the UK and their speed limits and
since GPS is there, knows where the car is, and prevents the car going
faster than the speed limit.

First thoughts; you know as well as I do that unit will record your journeys
and that data will be available, by law, to the State, and that your car,
sooner or later, will be legally obliged to carry that unit.

All because powers are granted to a State by a democratic process does not
mean the State will use them democratically.

What about our right of privacy? of simply being left alone?

Here's another thought; what if there's an emergency and you need to break
the local speed limit? will there be an over-ride switch? if so, what's to
stop it being permanently turned on? will it have a time-out? what if the
time-out is too short or too long? and if your unit notices that you are
persistently breaking the local speed limit, what's it going to do? will it
report you to the police? will, next time you car is serviced, the record of
all your journeys be checked for breaking the speed limit and then you'll be
charged?


Fun with speed-trap cameras for revenge

<"Arthur T." <Risk200812.risk.atsjbt@xoxy.net>>
Tue, 23 Dec 2008 00:11:21 -0500

According to one news article, students are printing up fake license plates
specifically in order to speed past speedcams.  The person whose plate was
printed then gets a bill for the fine.

There's no reason it wouldn't work, as long as the speedcams don't also get
pictures of the driver (as they do in England).  However, the one story on
it that I saw is not convincing.  All of the reports of its occurrences seem
to come from one unnamed source.  One of the quotes may be correct
regardless, though: "It will cause potential problems for the Speed Camera
Program in terms of the confidence in it."

*Montgomery [Maryland] County Sentinel*, 11 Dec 2008
http://www.thesentinel.com/302730670790449.php


Fun with speed-trap cameras for revenge

<"David Hollman" <dah8@cornell.edu>>
Tue, 23 Dec 2008 00:41:32 +0000

Students Use Speed Cameras to Frame Innocent Drivers, Prank Teachers
http://www.dailytech.com/Students+Use+Speed+Cameras+to+Frame+Innocent+Drivers+Prank+Teachers/article13749.htm

"I've objected to the robotic menaces primarily on the grounds that they
were fallible revenue machines for the state rather than legitimate means of
protecting life and limb," said Examiner.com's J.D. Tucille. "It never
occurred to me that the [speed cameras] were also handy tools for wreaking
revenge on enemies and authority figures. That was clearly a lapse of
imagination on my part."

Aside from the pranking itself, a secondary effect may be to diminish trust
in the legitimacy of valid tickets (particularly since it was reported some
perpetrators used similar-looking cars to the victim's).  Good quality and
access to the data collected would help to address this (e.g., are the
photos provided with the ticket? High or low res?  Color or B&W? etc...) as
better data should make it easier to prove there was fraud.  But on whom
does the burden of proof lie?


Fun with speed-trap cameras for revenge

<No-Name <labmanager@gmail.com>>
December 20, 2008 2:46:21 PM EST

Maryland Students Use Speed Cameras for Revenge (via Dave Farber's IP)
http://www.thenewspaper.com/news/26/2632.asp

Maryland Students Use Speed Cameras for Revenge
Students in Montgomery County, Maryland use fake license plates to
send speed camera tickets to enemies.

Maryland plate, photo by Amy the Nurse/FlickrHigh school students in
Maryland are using speed cameras as a tool to fine innocent drivers in a
game, according to the Montgomery County Sentinel newspaper. Because photo
enforcement devices will automatically mail out a ticket to any registered
vehicle owner based solely on a photograph of a license plate, any driver
could receive a ticket if someone else creates a duplicate of his license
plate and drives quickly past a speed camera.  The private companies that
mail out the tickets often do not bother to verify whether vehicle
registration information for the accused vehicle matches the photographed
vehicle.

In the UK, this is known as number plate cloning, where thieves will find
the license information of a vehicle similar in appearance to the one they
wish to drive. They will use that information to purchase a real license
plate from a private vendor using the other vehicle's numbers. This allows
the "cloned" vehicle to avoid all automated punishment systems. According to
the Sentinel, two Rockville, Maryland high schools call their version of
cloning the "speed camera pimping game."

A speed camera is located out in front of Wootton High School, providing a
convenient location for generating the false tickets.  Instead of purchasing
license plates, students have ready access to laser printers that can create
duplicate license plates using glossy paper using readily available
fonts. For example, the state name of "Maryland" appears on plates in a font
similar to Garamond Number 5 Swash Italic. Once the camera flashes, the
driver can quickly pull over and remove the fake paper plate. The victim
will receive a $40 ticket in the mail weeks later. According to the
Sentinel, students at Richard Montgomery High School have also participated,
although Montgomery County officials deny having seen any evidence of faked
speed camera tickets.

[Source: Local teens claim pranks on county's Speed Cams, *Montgomery County
Sentinel* (MD), 11 Dec 2008]

Archives: https://www.listbox.com/member/archive/247/=now


Trust me, I have a cert!

<"David Lesher" <wb8foz@panix.com>>
Tue, 30 Dec 2008 14:27:15 -0500 (EST)

<http://www.win.tue.nl/hashclash/rogue-ca/>

We have identified a vulnerability in the Internet Public Key Infrastructure
(PKI) used to issue digital certificates for secure websites. As a proof of
concept we executed a practical attack scenario and successfully created a
rogue Certification Authority (CA) certificate trusted by all common web
browsers.  This certificate allows us to impersonate any website on the
Internet, including banking and e-commerce sites secured using the HTTPS
protocol.


Massive Embezzlement Case Involving Fry's Electronics

<Lauren Weinstein <lauren@vortex.com>>
Tue, 23 Dec 2008 09:08:22 -0800 (PST)

I dare say that many of us have a love/hate relationship with Fry's
Electronics, and their massive, themed stores.  There are several of them
here in the L.A. area, and my favorite is the SciFi themed (the UFO crashed
into the building!) site in Burbank
(http://lauren.vortex.com/archive/000071.html -- apologies for the horrid
cell phone camera photo from more than four years ago).  The store out here
in the West San Fernando Valley is themed to "Alice in Wonderland"
throughout.   [Lauren's comment suggests he is a rabbit admirer?  PGN]

Fry's has always seemed to have a highly disciplined, very much
top-down management style -- to say the least.  If you've been there,
you know what I mean.  Fry's has become the "go to" place for
immediate access electronics parts for many years.

Now comes word that the single individual reported to be ultimately
responsible for all merchandise stocking at all Fry's has been
arrested in a $65M embezzlement case, complete with gambling debts and
jets to Vegas.

http://www.latimes.com/business/la-fi-frys24-2008dec24,0,7762946.story

And that's no white rabbit.

lauren@vortex.com  +1 (818) 225-2800 lauren@pfir.org http://lauren.vortex.com
http://www.pfir.org/lauren  Network Neutrality Squad - http://www.nnsquad.org

  [Do you want Fry's with that order instead of Fries?  PGN]


Fired Fry's executive: 'Caught up in the game' (MercNews)

<Monty Solomon <monty@roscom.com>>
Sun, 28 Dec 2008 23:10:46 -0500

Fired Fry's executive: 'Caught up in the game' in Vegas, Silicon Valley
Lisa Fernandez and Julia Prodis Sulek, *San Jose Mercury News*, 28 Dec 2008

Abbi Vakil was hoping to strike a deal with Fry's Electronics to sell his
company's iPhone battery when he first met Omar Siddiqui on the second floor
of the company's headquarters on Brokaw Road.

Siddiqui, Fry's vice president of merchandising, wasn't tall, but he looked
like he stepped out of the pages of a men's fashion magazine with his sharp
tailored suit - the gold chains around his neck notwithstanding. Just as
Vakil began his sales pitch, Siddiqui grabbed the $15 battery and flung it
"like a Frisbee" into the credenza.

What happened next gives an indication of just how this high-level
executive, the son of a Pakistani diplomat who was crazy about fast cars and
blackjack tables, bullied his way over three years into $65 million in
kickbacks from vendors for space on Fry's shelves to try to pay off his
gargantuan gambling debts, according to federal authorities. It's an
allegation the 42-year-old bachelor now faces in San Jose federal court.

If Vakil's company wanted to do business with Fry's, Siddiqui glowered at
him, Vakil would have to pay him $20,000. "It just didn't make any sense,''
Vakil, now vice president at FastMac.com, told the Mercury News of the 2006
encounter. "How many products would we have to sell to make a profit? We
could have been selling horse manure.  All he cared about was, 'What's in it
for me?' ...

http://www.mercurynews.com/ci_11322297

  [Fired?  Fried or Fryed!  PGN]


In Move to Digital TV, Confusion Is in the Air (Eric A. Taub)

<Monty Solomon <monty@roscom.com>>
Sun, 28 Dec 2008 03:18:18 -0500

Eric A. Taub, *The New York Times*, 22 Dec 2008

The Federal Communications Commission sponsored a Nascar race car as part of
its effort to inform Americans that on Feb. 18, television signals
transmitted over the air will be transmitted solely in digital format. Old
TV sets will no longer work.

It paid $350,000 to emblazon "The Digital TV Transition" and other phrases
on a Ford driven by David Gilliland.

So how's that going? In November, the car crashed during a Nascar race in
Phoenix. It was the second crash in as many months.

And how is the digital TV transition going? According to critics, about as
well, despite a major marketing campaign that includes nightly ads on TV.

According to surveys conducted by the Consumers Union, a consumer advocacy
group that also publishes Consumer Reports magazine, while 90 percent of the
nation is aware of the transition, 25 percent mistakenly believe that one
must subscribe to cable or satellite after February, and 41 percent think
that every TV in a house must have a new converter box, even those that are
already connected to cable or satellite. ...

http://www.nytimes.com/2008/12/22/technology/22digital.html


VHS Rides Off Into The Sunset (Geoff Duncan)

<Monty Solomon <monty@roscom.com>>
Wed, 24 Dec 2008 17:51:06 -0500

Geoff Duncan, VHS Rides Off Into The Sunset, 23 Dec 2008
http://news.digitaltrends.com/news-article/18730/vhs-rides-off-into-the-sunset

The venerable VHS tape is finally vanishing in the rear-view mirror as the
last major supplier stop distribution.

VHS tape, the format that for better-and worse-brought video into untold
millions of households around the world is finally going the way of the
dinosaur -- at least in the United States. After the 2008 holiday season,
Distribution Audio Video-the last major distributor of VHS tapes in the
United States-is finally calling it quits, and will stop distributing VHS
tapes. Although Hollywood hasn't released a movie in VHS format since 2006,
a number of bargain retailers were still stocking the format, and it's also
lived on in a number of isolated markets like cruise ships, public
libraries, military bases, and care facilities.

"It's dead, this is it, this is the last Christmas, without a doubt," said
Distribution Video Audio president Ryan J. Kugler, to the L.A. Times. "I
was the last one buying VHS and the last one selling it, and I'm
done. Anything left in warehouse we'll just give away or throw away."

Consumers have long since indicated their preference for DVD over VHS tapes,
and Distribution Audio Video is now in the DVD distribution business --
although it predicts DVDs are also on their way out, to be replaced by
Blu-ray.

Nonetheless, the shutdown of the last major VHS distributor in the United
States doesn't mean the world has finally embraced digital video. Countless
titles and content that have been available on VHS has yet to be released on
DVD, whether it be classic films from pre-war Hollywood or simply
performances by under-appreciated bands and artists, the amount of material
available on DVD has yet to encompass everything that was available on
VHS. And, of course, VHS will continue to live for some time in developing
markets around the world.


Inauguration Cellular Overloads

<"David Lesher" <wb8foz@panix.com>>
Fri, 26 Dec 2008 16:33:35 -0500 (EST)

So with various estimates for the 20 Jan Inauguration turnout running from
1.5 to 5 million people, the cellular industry has been releasing PR about
what they are doing to prepare.

The usual approach is to add small portable cell-sites, often "COWs" [Cell
On Wheels] with some kind of backhaul to the region's Mobile Telephone
Switching Office [MTSO].

They are also pleading with customers to abstain from talking and sending
pictures; instead please use SMS/texting. [Texting queues, unlike voice.]
And they have more quietly mentioned pecking order control that gives
precedence to specific phones, presumably the police chief, various
coordinators, etc.

But I have a different concern. Well before the talking stage, each
carrier's MTSO must first recognize and register every phone it finds.  I
wonder how large the available registration tables are in the various
CDMA/GSM/iDen/ MTSO's -- can they even poll and hold all that respond?


Automatic URL recognition

<"Bill Hopkins" <whopkins@wmi.com>>
Fri, 19 Dec 2008 14:25:58 -0500

A *Philadelphia Inquirer* article, when rendered for their website, has an
interesting artifact of (I suspect) a simple-minded automatic URL
recognition algorithm.  Is it okay to assume that three consecutive w's
won't occur in English, and need not be lexically distinct to start a URL?
"Awwww," said the RISKs community.

http://www.philly.com/inquirer/weekend/classical_music/20081211_Young_conductor__old_soul__eh_.html

The concert, despite short rehearsal, was fabulous.

  [I presume they did not play anything by WaczslawWWieniawsky?  PGN]


Shooting Yourself in the Foot - on purpose?

<Marc <Heart.of.Dixie@gmail.com>>
Fri, 19 Dec 2008 12:18:19 -0600

I'm a Big User of Gmail. I generally don't notice the targeted ads that
appear alongside messages, but this one caught my eye:

  E-Mail Lists-Free Quotes
  Free Quotes from Multiple Brokers Compare & Save - 5000+ names only
  www.(domain-removed).com/email_lists

Is Google trying to use up spare bandwidth & server resources?

Google does have very big feet, though.


Another method to lose your credit card

<"Erich Neuhauser, ENSOFT GmbH" <E.Neuhauser@ensoft.de>>
Tue, 30 Dec 2008 15:18:18 +0100

Yesterday, my wife tried to do some transactions on an ATM. Everything
looked fine and so she fed her credit card into the appropriate slot.  The
machine pulled the card inside, the screen turned black and the machine
stood still. Very annoyed, she pushed her finger against the dark
touchscreen repeatedly. The screen remained dark, but an acoustic signal
told her, that the computer still was alive. As she had some idea about
where the Eject-"button" should be on the screen, she repeatedly pushed that
position with her finger and after some 10 or 20 tries suddenly here credit
card came out of the beast. One more victory of men over machines..

But - what would the system have done, if she had given up after some tries
less? Worst: push out the card after a timeout. Best: dump the card to the
safe after a timeout. Probably: hold the internal state, waiting for the
next visitor (that would find the card slot full and then try - what?).

Handling failures of signaling devices is not new to many technical domains,
but in the case of a touchscreen the control device also becomes (nearly)
useless and so does the idea of emergency action via the input device. The
solution: a good old emergency pushbutton beneath the touchscreen?


Re: Cute piece of malware engineering (Dean, RISKS-25.48)

<Paul Robinson <paul@paul-robinson.us>>
Wed, 24 Dec 2008 19:30:03 -0800 (PST)

UPX was a type of (obviously) lossless compression used on executable files,
with the idea that on slow media like hard drives, it would be faster to
load a program which was compressed, then uncompress it into memory.  The
UPX header in the front of the executable, I believe, decompresses itself as
it's being loaded.  It could also be used as a type of
anti-reverse-engineering tool, since the actual program would not be on
disk, only a compressed version would be, and if the compressed version were
encrypted with an internal password (I don't know if UPX did this, but it is
possible) then you'd need to use something like the software equivalent of a
logic probe to watch where the executable was loaded in order to be able to
figure out what it was doing.  In the case of a piece of Malware, it would
be a great idea because it would make it much, much harder to get a virus
signature since you'd have to allow the header to load the program (in order
to decompress it) but somehow stop it from fully loading before the payload
was executed.

Machines have gotten so much faster that compressing executables to
save time loading off of disk is basically a deprecated practice.
Also some of the software has gotten smarter, e.g. Borland's compilers
would discard code that is never used when its linker built the
program, so the executable might not even have extra unused code.




Re: Teacher Throws Fit Over Student's Linux CD (Robinson, RISKS-25.48)

<bo774@freenet.carleton.ca (Kelly Bert Manning)>
Sun, 28 Dec 2008 23:33:16 -0500 (EST)

The incident may be exactly as described, but my paranoia level tends to
rises when something that seems to perfectly match my sterotypical view of
some group or individual crops up. If it sounds too perfect an incident to
be true, then perhaps it isn't true and someone is hoping to have fun seeing
what reaction they can generate.

I hope that the HeliOS project member who responded to "Karen" checked the
e-mail headers and applied other e-mail authentication strategies before
responding.

In addition to Joe-job spam, "jokes" mean that even non-bulk e-mail is not
always what it purports to be.

This might turn out to be an example of a different sort of computer related
risk, assuming that e-mail came from the source shown in the visible From:
line and that it was composed by them.


How to become a digital forensic evidence expert

<Fred Cohen <dr.cohen@mac.com>>
Sat, 20 Dec 2008 17:43:19 -0800

California Sciences Institute will be hosting a short course on "How to
Become a Digital Forensic Evidence Expert" on Jan 19, 2009 in the Bay Area
near San Francisco, CA. There will be a $40 charge for attendees, and the
program will run from 6-9 PM. If you are interested in additional details,
please look for them at:
http://calsci.org/2008/2009-01-HowTo-Become-DFE-Expert.pdf

Please report problems with the web pages to the maintainer

Top