The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 63

Sunday 5 April 2009

Contents

ElcomSoft to Recover Passwords with a Tambourine
Olga Koksharova via Michel Kabay
More on Google calendar
Pat Lincoln and Jeremy Epstein via PGN
Woman follows GPS, gets stuck in snowmobile trail
Monty Solomon
A firmware glitch of router software: 32-bit integer handling
Chiaki Ishikawa
No remittance, no ignition: Auto 'electronic repo' in action
Henry Baker
Risks of on-line backups -- is it still safe once there?
David Lesher
Domino's dishes out 11,000 free pizzas by mistake
Monty Solomon
Australian DST in the news
Tony Finch
Medical histories on the Internet
A Subscriber
Playboy TV fined over explicit content
Max Power
Re: E-voting in Ireland
Robert `Jamie' Munro
Oldest Data Loss Incident Contest
Monty Solomon
2009 IEEE Symposium on Security and Privacy
David Du
Info on RISKS (comp.risks)

ElcomSoft to Recover Passwords with a Tambourine (Olga Koksharova)

"Michel Kabay" <mekabay@gmail.com>
Wed, 1 Apr 2009 08:13:44 -0400

Dear Colleagues, This is exciting news for those committed to cultural
sensitivity in the pursuit of science and technology.  Mich

M. E. Kabay, PhD, CISSP-ISSMP, CTO & Prog Dir, MSc in Info Assurance
School of Graduate Studies, NORWICH UNIVERSITY  +1.802.479.7937

-----Original Message-----
From: Olga Koksharova [mailto:o.koksharova@elcomsoft.com]
Sent: Wednesday, April 01, 2009 04:21
Subject: Press Release: ElcomSoft to Recover Passwords with a Tambourine

1 Apr, 2009 -- ElcomSoft Co.Ltd. introduces Password Recovery Tambourine
<http://tambourine.elcomsoft.com>, a supernatural amulet to recover lost
passwords with a 100% guarantee. The new tambourine is produced with genuine
deer skin and requires training supervised by a qualified Yakutsk shaman. By
offering guaranteed, 100% password recovery rate, ElcomSoft leaves
competition behind once and forever.

Why Password Recovery Tambourine

Passwords affect people's lives. Lost and forgotten passwords can cost a
life or a job. Striv[ing] to provide a solution to improve peoples' lives,
ElcomSoft makes software for helping its customers recover passwords
<http://www.elcomsoft.com/products.html> they've lost or forgotten. The
company's password recovery tools are extremely effective, and literally
save lives and jobs every other day. However, not all types of encryption
are created equal. Some companies make exceptionally good effort protecting
information, and use really secure algorithms from time to time. If a really
secure password is used with those algorithms, the protected data is as good
as gone.

Background

Universal cryptanalysis methods do exist. Government agencies, intelligence
services and, in some countries, even police have successfully used methods
such as rubber-hose cryptanalysis
<http://en.wikipedia.org/wiki/Rubber_hose_cryptanalysis> for
years. Rubber-hose cryptanalysis allows passwords and keys to be discovered
in a surprisingly short time. The method is quite computationally
inexpensive. However, commercial use of this method is limited due to legal
restrictions in most countries. ElcomSoft started a quest to develop a
universal cryptanalysis method that is at least as effective as rubber-hose,
but comes with no penalty of being inhumane or restricted to exclusive use
by government agencies.

Development History

Several unsuccessful attempts were made to design the ultimate password
recovery tool. Using a crystal ball seemed like a great idea at first, but
was quickly rejected. Rabbit's foot seemed a better idea for some time, but
subsequent tests demonstrated that the foot could only solve certain network
problems with corporate LANs, and only when used by qualified system
administrators. A voodoo doll was a total nightmare, doing anything but
recovering passwords.

The first ray of hope shined after one of ElcomSoft's employees was sent to
Yakutia, a freezing province in Russia with real bears. He brought a
shaman's tambourine that was used regularly by the local tribe's shaman to
find missing things. ElcomSoft has conducted a full-scale scientific
research of the new tool, spending endless hours chatting with Yakutia
locals and shamans who use tambourines more often than we use our
toothbrushes. Over than two hundred ritual dances have been performed, and
today, ElcomSoft is proud to announce that the ultimate tool to recover lost
passwords that cannot be recovered it in a traditional way has emerged.

About Elcomsoft Password Recovery Tambourine

Elcomsoft Password Recovery Tambourine is anything but easy to use. A
special supervised training program must be completed, stunts and tricks
have to be learned, and spells in Yakutian language must be mastered. The
price is barely affordable. A variety of models is available.

Standard model works for most users without special needs. Simple, reliable,
not too expensive. Corporate model is based on the standard tambourine, and
it can work with hundreds and thousands documents at the time. Special team
training is required. Pocket version is easy to take on a trip, but it has
some restrictions supporting less exotic formats than its bigger siblings. A
comprehensive, 200-page manual is shipped with every tambourine.

To order or get more information on Elcomsoft Password Recovery Tambourine
visit http://tambourine.elcomsoft.com/ <http://tambourine.elcomsoft.com>

  [Info on ElcomSoft Co Ltd. legitimate, but truncated as inappropriate for
  RISKS.  PGN]


More on Google calendar (Re: Epstein, RISKS-25.62)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 1 Apr 2009 8:20:14 PDT

> When there's a shared calendar infrastructure and it's buggy, everyone
> ends up at the wrong time.

Patrick Lincoln noted that if *everyone* used Google calendar, everyone else
would have been on the telecon at the "wrong" time -- which would have been
the right time!  So the risk is that not enough people are sharing the same
calendar system.  He proposed that we lobby for a federal law that requires
everyone use Google calendar to avoid this risk.

Jeremy responded to Pat that what may make things a bit easier is that the
stimulus package allocated $3.2B to Google to move the calendar 15 minutes
ahead, preserving America's technological lead (by 15 minutes).  So those
people who don't switch to Google calendar will be perennially 15 minutes
late.  Since the first 15 minutes of a meeting are frequently wasted with
getting everyone into the room, on the phone, etc., this means that
non-Google calendar users will have the advantage of being more efficient,
possibly offsetting the job creation value of the stimulus spending.  Is
that close enough to your proposed federal law?

Pat replied, ``That's an excellent first step, but doesn't achieve the
entire aim of my proposed law.  Also, since the entire Internet and
everything it is attached to is going to be destroyed today by Conficker,
one other important aspect is a key invention, a survivable carbon-based
two-dimensional human-readable storage medium for Google calendar
information.


Woman follows GPS, gets stuck in snowmobile trail

Monty Solomon <monty@roscom.com>
Fri, 3 Apr 2009 01:48:18 -0400

Woman follows GPS, gets stuck in snowmobile trail, 1 Apr 2009
http://www.boston.com/news/odd/articles/2009/04/01/woman_follows_gps_gets_stuck_in_snowmobile_trail/

Deputy Keith Svoboda said it took a while to find her and much longer to get
heavy equipment in to free the vehicle. Deputies dropped her at a motel for
the night.  Svoboda said the lesson is, "People shouldn't believe everything
those things tell you."
  [Especially on April Fools' Day!  PGN]


A firmware glitch of router software: 32-bit integer handling

Chiaki Ishikawa <ishikawa@yk.rim.or.jp>
Thu, 02 Apr 2009 23:29:43 +0900

I am not sure if this is computer risk in the general sense, but I feel we
will see more of this type of problems (32-bit signed integer vs unsigned
integer) in embedded devices for consumer electronics and elsewhere for some
time to come, and so I am reporting it here.

First the public fact.

NEC, a large electronics company, and its subsidiary NEC Access Technica
have announced that their line of DSL routers with IP-phone feature which
are used by many Japanese ISPs including the giants NTT East and NTT West
has a software bug that after a continuous use of 2485 days, the router no
longer allows telephone functions.  (Internet access is still usable,
though.)

The problem can be fixed by firmware upgrade, or for that matter, if power
recycling is done, the problem is shifted for another 2485 days into the
future.

(Actually, I saw somewhere that NEC and NEC Technica was looking into the
problems reported on different line of routers when they learned of the
potential of similar problems. And when they checked the firmware of other
products, they found the newly reported problems. I am not sure where I read
it. I can't locate it any more. Maybe I read it in the letter which was sent
by an ISP to notify the problem urging me to update my firmware of the said
affected router.)

The cause of the bug?

The various reports I read didn't mention what are the real cause of the
"software" problem, but I guessed that it must be related to the use of 32
bit integer for counting inside the firmware.

To wit, the problem interval in seconds is 214704000 [seconds] (= 2485
[days] * 24 [hours/day] * 3600 [s/h]).

One day shorter T' is 214617600 [seconds] = 2484 [days].

Also, 2 ** 32 = 4294967296
      2 ** 31 = 2147483648

We can see the following holds:

     (T' * 10)  < 2**31 < (T * 10) < 2 ** 32

My conclusion:

A certain integer counter is incremented at 1/10 sec interval within the
software using 32 bits data starting from 0 after power-up.

Internally, the firmware code regards this data as "signed" and suddenly
somewhere between 2484th and 2485th day, this counter becomes "NEGATIVE" and
wreaking havoc within the code, and rendering phone function useless.

Observation:

When I was checking web pages to write this submission, I noticed a bug
report that different routers used for IP phones using optical fiber had a
similar problem after 249 days.  This was found last summer.  Obviously 294
days is much shorter than 2485 days and some people suffered from the bug
last year.  In this case, I think the counter is incremented every 1/100
second. Maybe this discovery led to the massive review of the router
firmware.

I noticed that similar problems concerning integer size and its signedness
have occurred when
 * file size has begun exceeding 2GB limit (again 31/32 bit boundary),
 * address space has been extended to 64 bits from 32 bits.

I noticed the first file size problems starting around the time Solaris and
other Posix-based systems began offering large file size systems. Also, to
this day, unmaintained shareware on windows often have problems when we try
to handle a large file (2GB) like ISO image on windows. The symptoms are
many. But one symptom that suggests the use of signed integer to check for
the remaining file space is messages that say I don't have enough space
although I have more than enough (actually larger than 2GB of free space.) I
have checked that in many cases, if I create a very large dummy file to
shrink the remaining free file space to less than 2GB, then these
unmaintained programs proceeded without a hitch or ran into other
size-related problems later.

I noticed the second address space problems when linux was ported to x86
architecture with 64bit address space: many device drivers as well as
applications began failing. Solaris for x86 also saw many third party
drivers facing similar problems when 64 bit address space was supported on
x86 architecture. (Solaris for Sparc supported 64 bits address space for
many years and I don't remember particular problems.)

We can now add the use of timers/counters to the causes that may trigger
careless errors in applications.  We have already seen there have been cases
where a counter goes over the allocated bits and repeats again from 0, thus
causing some software problems in the past: I think the early version of
Windows NT had a problem of requiring reboot every 49 days or so for certain
applications. (Counters incremented every 1/50 sec?)

As more consumer devices (as well as industry machines) are equipped with 32
bit CPUs, and more programmers who are accustomed to the luxury of 32 bit
CPU programming under non-embedded OS have begun to develop software for
embedded devices, we may see similar problems in the embedded system space
more often.  We have seen many already, but I am afraid that this trend will
continue.

BTW, routers are complex device and some have linux inside literally.  I am
surprised somewhat recently to see GNU General Public License repeated
verbatim in print inside the manual of my Toshiba Hard Disk
recorder. Obviously, certain code used inside is based on GPL'ed code.  When
I think about the growing pains that drivers and OS itself had to go through
when larger file sizes and address space extension were introduced, I have
an uncomfortable feeling to trust the complex operations on such products
unless software patches are readily available. But how are we supposed to
"patch" hard disk recorder software? If power cord is accidentally removed
during patching, what happens?! Does hard disk recorder store the "patch"
program in a separate place, preferably a ROM or something, so that
glitches during patching can not corrupt such software?

Embedded system programming requires certain different mindset, but I am
afraid that not many programmers are trained to develop such mindset in the
educational system and even in the industry in general.  I feel this way
because the problems with NT don't seem to have been learned by the would-be
developers today.

I am reporting the problem here today so that at least someone can point out
that such a problem is a public knowledge for a long time when a similar
problem happens again in the future.


No remittance, no ignition: Auto 'electronic repo' in action

Henry Baker <hbaker1@pipeline.com>
Thu, 02 Apr 2009 09:20:51 -0700

FYI -- Regardless of the date, this technology appears to be genuine.  I
guess the ultimate use of this technology would be for medical devices like
heart pacemakers and defibrillators...

On a Gibbs family trip to Topeka, the littlest passenger wouldn't shut up.
`Beep-beep-beep' recalled Michelle Gibbs, mimicking the palm-sized device
installed by her used-car dealer under the dash of the Honda Accord.  ``Try
driving back for two hours with three kids in the car and that sound:
Beep-beep-beep.  It's very annoying, but for the most part, it's the best
thing to happen to us.''

The beeping was a reminder that 24 hours remained before a car-loan payment
had to be made -- or else the vehicle would fail to start after that,
courtesy of `electronic repossession'..  The Gibbses made it home to Blue
Springs, punched in a one-time emergency code provided by the dealer to keep
the car operable and then drove to the dealership to deliver the delinquent
payment.  It was the first time in five years they had been late on a
payment.  [Source: Rick Montgomery, *The Kansas City Star*, posted on 1 Apr
2009, PGN-ed]
  http://www.kansascity.com


Risks of on-line backups -- is it still safe once there?

"David Lesher" <wb8foz@panix.com>
Tue, 24 Mar 2009 11:13:14 -0400 (EDT)

Besides the issues of security & upload speed, when you use an off-site
backup service; you assume that they are smart enough to not lose your
data...and don't have problems of their own.

But...

Online backup service provider Carbonite is suing storage vendor Promise
Technology, saying repeated failures of Promise gear have caused
"significant data loss" at Carbonite.

In the lawsuit, filed 20 Mar 2009 in Suffolk County Superior Court in
Boston, Carbonite said it bought more than US$3-million worth of Promise
VTrak Raid products beginning in 2006. In several incidents starting in
January 2007, the service provider suffered data loss because the Promise
gear failed to support recovery from physical drive errors and array
errors. The data losses caused "substantial damage" to Carbonite's business,
the company alleged.  ...  However, in a written statement following news
reports on the case, Carbonite elaborated on the failures to say a smaller
number of customers actually lost their own data. All customer backups
involving the failed equipment were restored immediately and automatically,
the company said.
<http://www.pcworld.com/article/161819/backup_provider_carbonite_loses_data_sues_vendor.html?tk=rss_news>

(Promises, Promises... or should I say Diamond, not Carbonite, is a bit's
best friend?)


Domino's dishes out 11,000 free pizzas by mistake

Monty Solomon <monty@roscom.com>
Fri, 3 Apr 2009 01:54:45 -0400

http://www.boston.com/news/odd/articles/2009/04/02/dominos_dishes_out_11000_free_pizzas_by_mistake/

AP, datelined Cincinnati, 2 Apr 2009

"Bailout" was the magic word as Domino's had to give away thousands of free
pizzas because someone stumbled on an online promotion the company scrapped.
Domino's Pizza Inc. spokesman Tim McIntyre said Wednesday that the company
prepared an Internet coupon for an ad campaign that was considered in
December but not approved.  He says someone apparently typed "bailout" into
a Domino's promo code window and found it was good for a free medium pizza.

Word about the code spread quickly Monday night on the Web and 11,000 free
pizzas were delivered before it was deactivated Tuesday morning.
Cincinnati-area franchise owner John Glass says his 14 stores gave away more
than 600 pies, but that Domino's promised to reimburse him.

  [Also noted by Max Power.  PGN]


Australian DST in the news

Tony Finch <dot@dotat.at>
Tue, 31 Mar 2009 14:35:37 +0100

http://www.theage.com.au/articles/2009/03/30/1238261487308.html

Australia has had quite a lot of DST rule changes in recent years. However
this year the clocks are going back according to the same rule as last year
(first Sunday in April, except Western Australia changed on the last Sunday
in March). Even so, people are still having problems with incorrect
automated timezone changes.

The risks here include sophisticated mobile phone software that is difficult
to update (I can't update my phone because I don't own a copy of Windows); a
complicated service model in which it's unclear who is responsible for DST
updates (my phone has an option to get its time from the network, even
though it is tied to a network that doesn't provide the service, and its
clock is accurate enough that the lack of synchronization isn't clear until
there's a DST change), and of course pointless political fiddling with the
DST schedule.

f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/


Medical histories on the Internet

<A Subscriber>
Mon, 30 Mar 2009 14:14:30 +1000

The Australian government is seeking to introduce a blacklist for ISPs to
block the inappropriate sites about children before reaching the user.  All
the usual parallels to Chinese government, etc., and not actually educating
the children or stopping the problem.
http://www.news.com.au/couriermail/story/0,23739,25262805-952,00.html

Mid-March 2009.  In Queensland, Australia, at least 100 patients have their
displayed their relevant medical history, current medications, as well as
patient's next of kin, on a pathology company's website.  They were meant to
be made available to treating doctors, but became available to all.  The CEO
is reportedly to have been very defensive rather than seeking to resolve it
and advise the relevant persons.  It was also raised that there was no law
requiring affected persons to be advised.

http://www.news.com.au/couriermail/story/0,23739,25253159-3102,00.html
http://www.news.com.au/couriermail/story/0,23739,25260243-3102,00.html


Playboy TV fined over explicit content

Max Power <dist23@juno.com>
Thu, 2 Apr 2009 21:57:41 -0700

A classical encoder-mode Risk:

Essentially what this means is that Adult Channels (and other sensitive
content channels) in the UK are obliged to have redundant crypto encoders
for the transmission of their content. The crypto itself is not at fault,
but the crypto device oversight is. Often these devices are set into
"test mode" or the "defeat switch" is on.

If the network used 2nd party encoding (essentially outsourcing beyond the
network transmission studio and switch) then the 2nd party may be obliged
to pay or split the fine.

British media regulator Ofcom has fined Playboy TV 22,500 pounds ($32,990)
for airing sexually explicit images in breach of broadcasting rules,
claiming Playboy One had broadcast unencrypted raunchy, and what the
watchdog deemed offensive, material until September 2008.  Ofcom had
received five complaints relating to seven late night programs broadcast
between September and December 2007.  ``Depending on the individual breach,
the explicitness, strength and, or, sustained nature of the sexual content
and language was unacceptable for broadcast on an unencrypted free-to-air
channel.''  Ofcom said Playboy TV UK/Benelux Ltd had failed to ensure
adequate protection for viewers from `potentially harmful or offensive
material'.  [Source: Reuters item, 2 Apr 2009; PGN-ed]
http://www.reuters.com/article/oddlyEnoughNews/idUSTRE5314IR20090402


Re: E-voting in Ireland (RISKS-25.62)

<Robert `Jamie' Munro>
Mon, 30 Mar 2009 14:52:01 PDT

"Ten years ago, the replacement of pencils and ballot papers by machines was
seen as a badge of modernity. But technology was not sufficiently advanced
to guarantee security of the new system."

I disagree with this assertion. I think the technology is /too/ advanced to
guarantee security of the system.  I'm reminded of Clarke's 3rd law: "Any
sufficiently advanced technology is indistinguishable from magic."  We
cannot have a trusted system of democracy if voting works by magic.  Voting
needs to work in a way that everyone can fully understand.


Oldest Data Loss Incident Contest

Monty Solomon <monty@roscom.com>
Wed, 1 Apr 2009 21:12:04 -0400

First, a little history about the competition: In 2005, the Open Security
Foundation launched the Oldest Vulnerability contest for one of our other
projects, the Open Source Vulnerability Database, and from it came
vulnerabilities dating back as far as 1965.

The winner, Ryan Russell, found a password file disclosure vulnerability
from January of 1965, and helped OSVDB nail down several other old
vulnerabilities. That contest resurfaced in our memories recently, and we've
decided to do the same thing for DataLossDB.

What is the oldest documented data loss? As far as what is currently in
DataLossDB, it is from January 10, 2000 when a hacker claimed to have stolen
300,000 credit card numbers from CD Universe.

We believe there are plenty of data-loss incidents that happened prior to CD
Universe. Does anyone have an older incident they can submit to DataLossDB?
We want it, and we'll reward you for it!

Find us the oldest documented Data Loss Incident. The oldest three
submissions will receive prizes from our wonderful sponsors. In addition,
you'll be able to bask in the fame of being the researcher, or Data Loss
Archaeologist, who uncovered the oldest documented Data Loss Incident.

Incidents submitted don't have to be older than the CD Universe breach. For
instance, the oldest Stolen Computer breach in the database occurred in
2003. So, submit what you find! You might find the oldest stolen laptop
breach, or the oldest accidental web exposure breach. ...
  http://datalossdb.org/oldest_incidents_contest

  [If you are going to submit, you might look though the RISKS archives,
  beginning in 1976 with the ACM SIGSOFT Software Engineering Notes (SEN),
  well BEFORE the Risks Forum started.  My historical index for SEN and
  RISKS is online.  Although I've been struggling to keep it up to date
  recently, it is fine for old stuff in pre-RISKS SEN issues -- which Will
  Tracz now has the old online.  PGN]
    http://www.csl.sri.com/neumann/illustrative.html


2009 IEEE Symposium on Security and Privacy

"David Du" <du@cs.umn.edu>
Sat, 21 Mar 2009 14:22:35 -0500

This is a reminder that the early registration deadline for
the conference is approaching (20 Apr 2009). Some useful information of
the conference is listed below.  Please visit conference webpage at
http://oakland09.cs.virginia.edu/ if you need more information. Hope to see
you in the conference at Oakland, California again from May 17th to 20th.

David Du, General Chair

30th IEEE Symposium on Security & Privacy

The 2009 symposium marks the 30th annual meeting of this flagship
conference. Since 1980, the IEEE Symposium on Security and Privacy has been
the premier forum for presenting developments in computer security and
electronic privacy, and for bringing together researchers and practitioners
in the field.

The 2009 symposium will be held May 17-20 at the
<http://www.claremontresort.com/> Claremont Resort in Oakland, California.
 <http://oakland09.cs.virginia.edu/papers.html> Accepted Papers
 <http://oakland09.cs.virginia.edu/program.html> Program

Upcoming Deadlines

Travel Grants Deadline: 15 April 2009 [
<http://oakland09.cs.virginia.edu/grants.html> Travel Grant Information]
Poster Submission Deadline: 15 April 2009 [
<http://oakland09.cs.virginia.edu/posters.html> Call for Posters]
Short Talks Early Deadline: 15 April 2009 [
<http://oakland09.cs.virginia.edu/shorttalks.html> Call for Short Talks]
Early Registration Deadline: 20 April 2009 [
<http://www.regonline.com/Checkin.asp?EventId=707709> Registration
Information]
Hotel Registration Deadline: 24 April 2009 [
<http://oakland09.cs.virginia.edu/travel.html> Hotel Information]

Travel Grants
 <http://oakland09.cs.virginia.edu/grants.html> Travel Grants information is
now posted. Applications are requested by 15 April 2009.

Registration Open
 <http://www.regonline.com/Checkin.asp?EventId=707709> Registration is now
open. The early registration deadline is 20 April 2009.

Call for Short Talks
The  <http://oakland09.cs.virginia.edu/shorttalks.html> Call for Short Talks
is now posted.

Advance Program
 <http://oakland09.cs.virginia.edu/program.html> Advance Program released.

Workshops and Tutorials
Information on  <http://oakland09.cs.virginia.edu/workshops.html> Workshops
and  <http://oakland09.cs.virginia.edu/tutorials.html> Tutorials is now
available.

Call for Posters
The  <http://oakland09.cs.virginia.edu/posters.html> Call for Posters is now
posted. Poster submissions are due 15 April 2009.

Accepted Papers Posted
 <http://oakland09.cs.virginia.edu/papers.html> 26 papers have been accepted
to the symposium.

  [Check it out if you are into research in security and privacy and have
  never been there before.  This is the 30th year at the Claremont, and it
  is always a worthwhile meeting and certainly a lovely venue overlooking
  San Francisco.  PGN]

Please report problems with the web pages to the maintainer

Top