Another Peter Neumann (!!) reports in the *Berliner Zeitung* 17 Jan 2009: On January 14, 2009 at 14.03 the plug got pulled on the German national train system's computers - all of them. No ticket machines would work, either the self-service or the counter machines; the Internet pages returned 404s; the boards in the train stations telling you which track to take died; and apparently even some of the operations computers just shut off. There was a single point of failure - the "uninterruptible" power system (UPS). The computer center of the Deutsche Bahn in Mahlsdorf (Berlin) was was upgrading the UPS. Suddenly there was no electricity flowing through the mains. None. And the entire system fell like a house of cards. Oh, they had a backup system set up [for lots of money, we suppose, I've seen the computer centers, they look like prisons, windowless monstrosities with high fences topped by razorwire -dww] just down the road in Biesdorf. The speaker won't say exactly what happened, but the cut-over to the backup system did not work. It took hours to get the system back up and running - apparently every system assumes that every other system is already up and running, and turning them all on at the same time is quite a drain on electricity. The speaker will not go into any more detail on this topic, except to say that the specific nature of the error meant that each system had to be restarted by itself. Of course, the usual speculation made the rounds - hackers, terrorists, viruses. But again - never make up complicated theories for what can be explained by simple incompetence. The speaker: We have found the weak point and can guarantee that something like this will never happen again. comp.risks has a long memory.... Prof.Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin http://www.f4.fhtw-berlin.de/people/weberwu/ +49-30-5019-2320
*The Register* reports that "staff at hospitals across Sheffield are battling a major computer worm outbreak after managers turned off Windows security updates for all 8,000 PCs on the vital network" with "more than 800 computers ... infected with self-replicating Conficker code". And how did this happen? The worm takes advantage of a known problem that is resolved through a Windows patch that wasn't installed because "the decision to disable automatic security updates was taken during Christmas week after PCs in an operating theatre [were] rebooted mid-surgery. Conficker was detected" on 29 Dec 2008. http://www.theregister.co.uk/2009/01/20/sheffield_conficker/ Or in short: - Life-critical systems rely on software that has a long history of vulnerabilities. - To avoid critical interruptions, automatic fix installation is disabled, with no backup process for installing them at non-critical times. - These systems are interconnected (including to the Internet) for whatever reason. - There are (apparently) no other protection mechanisms beyond installing fixes. - Malware leaks in to the network and spreads. - The interaction of the above leads to really bad results. And where is the surprise? Even Microsoft's license agreement notes that you shouldn't use their software for life-critical systems (among other things). Perhaps that's just a CYA thing, but one would hope that there's consideration of the risks before ignoring those terms. [Also noted by Toby Douglass. Incidentally, Phil Porras (whose Cyber-Threat Analytics project <http://www.cyber-ta.org> has been tracking conficker) noted to me that the relevant RPC exploit was patched and distributed by MS's security update service on 23 Oct 2008. PGN]
Brian Krebs, *The Washington Post*, 16 Jan 2009 A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn. Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites — there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software. The worm, called "Downandup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and 8.9 million computers during the last four days alone. If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed. One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network. But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective. ... http://voices.washingtonpost.com/securityfix/2009/01/tricky_windows_worm_wallops_mi.html [Conficker is apparently even more widespread than reported above. PGN]
Lauren Weinstein's Blog Update, 19 Jan 2009 http://lauren.vortex.com/archive/000497.html Greetings. It's well known that a significant portion of the Obama administration's stimulus plans will likely be a major thrust toward electronic medical records. These are touted as reducing errors, creating jobs, and saving money — though it's arguable if medical consumers are the ones who actually pocket the savings in most cases. But there are serious concerns about these systems as well — reminding us that exactly the same sorts of problems that tend to plague our other computer-based ecosystems could now start hitting people's medical records in pretty much the same ways. *The New York Times* (19 Jan 2008) had an excellent story about privacy and security issues associated with electronic medical records — and the medical industry heavyweights who are trying to water down related provisions in associated and upcoming legislation. http://www.nytimes.com/2009/01/18/us/politics/18health.html A few days ago, AP reported on a range of potentially serious medical errors *created* by the Veterans Administration's new electronic medical records system. http://www.tampabay.com/news/military/veterans/article967778.ece Both Google and Microsoft have unveiled electronic medical records systems for users, and are actively seeking partnerships with major medical treatment organizations. While they both promise comprehensive privacy and control by users — in some ways that exceed those mandated by HIPAA privacy requirements, these systems are explicitly not actually covered by HIPAA -- though my hunch is that this status is likely to change in the near future. The key concern with such non-HIPAA medical records systems isn't their privacy and security at the moment — which as I noted appear to be good at present. Rather, an important aspect of HIPAA is that it represents a set of rules that cannot be arbitrarily changed by the organizations involved. Consumers need to know that the "rules of the game" when it comes to their medical records will not be subject to unilateral alterations on the basis of business conditions or management changes, outside the realm of legislated national rules. My belief is that electronic medical records in general, and the services like those from Google and MS in particular, have the potential for significant benefits. I also believe that a massive rush into any of these environments could end up creating a whole new range of problems that could waste money, risk privacy, and in the worst case even cost lives. I trust that Congress will move with deliberate speed, but not be pressured, in the area of electronic medical health records implementation, and that they will put patients' rights to privacy, accuracy, security, control, and choice at the top of agenda. A stampede to electronic medical records without due consideration and care would be a very dangerous prescription indeed.
[Source: David Mehegan, *The Boston Globe*, 19 Jan 2009] Cursive, foiled again: We e-mail, we text, we Twitter - what will become of handwriting? "The moving finger writes," says the famous Rubaiyat of Omar Khayyam, "and, having writ, moves on." Nowadays, the finger more likely is hammering away on a computer keyboard, texting on a cellphone, or Twittering on a BlackBerry. If you predate the computer age, you might remember a school subject called "penmanship," which trained your cursive handwriting, usually by the Palmer Method. The penmanship teacher would come by once a week to rate your work, and if your handwriting was bad, you'd hear about it. It's still taught, to be sure, but it's no longer emphasized. "There's been a decline in attention to all kinds of basic skills," said Louise Spear-Swerling, coordinator of the graduate program in learning disabilities at Southern Connecticut State University. "With handwriting, people think it's just not that important." Some people are concerned, though, and one is Kitty Burns Florey, whose book "Script and Scribble: The Rise and Fall of Handwriting" comes out Friday - John Hancock's birthday and National Handwriting Day. Florey, author of nine novels and a book about sentence diagramming, became interested in the subject after reading that computer keyboarding has displaced handwriting in schools. ... http://www.boston.com/ae/books/articles/2009/01/19/cursive_foiled_again/
In the UK there is a Government Gateway web site used to access a number of government services. One of the better hidden services is that it is possible to register a claim for unemployment benefit. Like many of the UK's IT staff I now have need of the service. Everything starts off reasonably well. Access to the site requires an ID that is delivered to users by post, together with a password users can choose for themselves. So far so good. Registering a claim for "Jobseekers' Allowance" takes the user through a questionnaire that parallels the one that most people deal with via a telephone interview. At the end of the process the user is given a final chance to review the data and finally confirm that they wish to submit a claim. At this point the user is presented with a pop-up confirmation that the claim has been submitted. The interesting thing is that the claim has not been submitted at that point and still has a status of "not yet submitted." The next stage should presumably be that the claim is actioned, but this part of the code silently fails. The claim will stay in limbo. Unless the user has some reason to return to the system and log in again they have no reason to suspect that their data has been dropped on the floor. If they do log in again they will see the "not yet submitted" status and can complete the submission again, getting a new pop-up saying that the claim has been submitted. Which submission will again be silently dropped on the floor and the "not yet submitted" flag will remain unchanged. I'm sure that there must be a lesson to be learned from this, probably several. I hope that one of the lessons which will be learned is that when you FUBAR a user's data, don't do it to a RISKS subscriber. Bernard Peek, London, UK. DBA, Manager, Trainer & Author.
At the Consumer Electronics Show (CES) this year, a number of booth personnel were wearing cameras on their chests that recorded video & audio of every person they talked to the entire day. The cameras had enough quality to pick up the names on the badges of the people they talked with. According to one gentleman, the camera allowed him to focus on talking with the person and not wasting time getting his/her badge information. These cameras are not expensive — one of the booths I stopped at was actually selling them. I expect them to start showing up at all kinds of business meetings. The future you project is already here.
> The future you project is already here. That being the case ... I'll add my social predictions. :-) Prosecutors today complain of the "CSI effect": On the CSI series of TV shows, every week, crimes are solved by introducing all kinds of detailed, highly specific, scientific evidence. Juries assume that that's the way things work in the real world, and convincing them without it has gotten harder - an attitude the defense bar encourages, of course. But the reality of scientific evidence doesn't approach the fantasy. In a world of ubiquitous recording, anything that *wasn't* recorded will seem, at the least, less reliable - and eventually even suspicious. "If you had nothing to hide, why didn't you make a recording of what you were doing?" The common law has traditionally accepted oral contracts - special cases, going back the the oddly- named Statue of Frauds, excepted - in recognition of the inconvenience of memorializing on paper the huge number of dealings in which we are involved on a daily basis, especially in business. The "he said/she said" evidentiary arguments that inevitably follow are just something that we have to accept to keep commerce flowing. In a world where every conversation is trivially recorded - will we continue to do that? — Jerry
Billion Dollar Mistake? (Dagenais, RISKS-25.51) I'd be willing to bet that the actual number is far, far higher, especially when adjusted for inflation. But I applaud Tony for his apology. I haven't yet heard an apology from Fortran/C/C++/etc. creators over their inability to police array bounds. A good fraction of the ACM Fellows (perhaps the ACM itself?) need to provide mea culpas over this issue. To a first approximation, the lack of array bounds checking created the virus/worm industry, and we are still paying handsomely for this. Madoff was a rank amateur by comparison. Computer "scientists" have been producing insecure code like this since before NASDAQ was started.
[Re: Risks of data retention 25.48 (Armburst RISKS-25.48)] I'm not sure I agree the assertion that one-time accounts should never be re-used. I can see a significant benefit of storing and keeping current such information as a way to reduce errors from having to enter the information each time. I think the problem comes from the resulting system, and ensuring that the re-used information is correct and correctly used. Also, if a failure occurs, then the system (human and automated) needs to be able to determine where the error occurred, so it can be corrected. I have a related story: Avis, and other car rental companies, have a service where information (driver's license number, billing info, etc.) is pre-entered into their reservation/billing system, under a Wizard Number. The benefit, to me, is that the time needed to rent a car is significantly reduced. I checked my account last summer and found that someone had made a reservation in my name. I called Avis and was told that they thought that operator error had resulted in my Wizard Number being used as part of someone else's reservation. Issues: - The system should have done some checking to ensure the correct Wizard Number was being used. Canadian banks love asking silly questions to confirm identity, why not this system? - The system didn't seem to have any way to determine who had made the reservation, and inform them that correction was needed. Was the reservation made through an agent? Was it associated with an airline reservation? I canceled the reservation, and suggested Avis send a note to the place the car was to be picked up, so they would know what happened when this person arrived (and hopefully keep a car available for him). Somewhat later copy of receipt from this person's rental turned up on my Avis account. So, logically, he must have arrived at the rental office, with a printed copy of the reservation. Rather than checking why the reservation was canceled, the rental office must have simply reconstituted the reservation under my Wizard Number. Issues: - Something should have detected a fault. A detailed check of this person's information against what was in stored under my Wizard Number should have detected something. - The system has stored the record of the rental, complete with parts of his credit card number, under my Wizard Number. I called Avis, and their response was that since the rental hadn't been charged to me (the renter had provided a credit card) nothing was wrong. So, I called the rental office. The person I talked to told me they remembered the rental, and that the Wizard Number had come up when they swiped his credit card <!>. Further discussion revealed that the name on the credit card was the same as mine, and that the driver's license was issued from the same province as where I live. Issues: - The linking of his information to my Wizard Number seems like a serious system fault, so I am curious about Avis's response. - In cases where the information between two customers has some overlap the system (human and automated) needs to do extra special checking. In this case there is a strong possibility that I could have been billed, without any way to determine who had actually rented the car. I guess the risk is all Avis (since the stamps on my passport prove it wasn't me who rented the car), but in these days of identity theft, I would hope our automated systems are being developed to reduce the IT reservation under my Wizard Number.
Please report problems with the web pages to the maintainer