Civilian air-traffic control system computer networks have been penetrated multiple times in recent years, including an attack that partially shut down ATC systems in Alaska. The FAA is expecting to spend about $20 billion in an upgrade over the next 15 years. [Source: *Wall Street Journal*, 7 May 2009; PGN-ed] http://online.wsj.com/article/SB124165272826193727.html [RISKS readers will recall that the previous attempted upgrade cost about $4B before it was scuttled. PGN] As an economist I'm primarily interested in this case for two reasons: a) whether as a practical and theoretical matter the US government can purchase and maintain modern information systems for specialized civilian applications given that the FAA has been trying and failing to do so for 20 years even as private corporations created for that purpose, entities like Nav Canada and even the US Postal Service, have been more successful, and b) the application that this failure has to the prevailing mythology of how expanding government control over health information storage architecture will improve care and lower costs. To date the myth or electronic systems to the rescue continues to grab people even though almost all of the real world tests of the effects of expanded government control suggest that the most likely result it higher costs and degraded care. Linda Gorman, Director, Health Care Policy Center, Independence Institute, Golden, Colorado
I thought this would be of interest to RISKS readers. http://www.flightglobal.com/articles/2009/05/06/326132/us-air-traffic-exposed-to-serious-harm-from-cyber.html Scary stuff if the risks are as serious discussed. [See also CNET. PGN] http://news.cnet.com/8301-1009_3-10236028-83.html?tag=newsEditorsPicksArea.0 [The risks are not newly identified. For example, see my Computer Security in Aviation: Vulnerabilities, Threats, and Risks, International Conference on Aviation Safety and Security in the 21st Century, 13-15 January 1997, for the White House (Gore) Commission on Safety and Security. http://www.csl.sri.com/neumann/air.html However, perhaps the awareness climate is finally changing. PGN]
Not directly a computer risk but it raises the question of how 100,000 gallons of water could go missing; the leak was only discovered when someone noticed water flowing across the floor. Funny, that's the same technology by which my wife just notices a basement leak in our house. I'm thinking about installing a water detector — maybe Entergy should also. - ---- ... it has raised concerns about the monitoring of decades-old buried pipes at the nation's nuclear plants, many of which are applying for renewal of their operating licenses. Indian Point 2, whose 40-year operating license expires in 2013, already faces harsh criticism from New York State and county officials who want it shut down. Representative Edward J. Markey, the Massachusetts Democrat who heads a House subcommittee on energy and the environment, said the leak raised serious questions about Entergy's and the regulatory commission's oversight. "This leak may demonstrate a systemic failure of the licensee and the commission to inspect critical buried pipes in a manner sufficient to guarantee the public health and safety," he wrote to the commission's chairman, Dale Klein, in a letter on Thursday. The letter was also signed by Representative John J. Hall, whose district includes the plant. The congressmen said they were "shocked" that a leak that big could develop without detection and called the system for detecting such problems "profoundly inadequate." [Source: Matthew Wald, *The New York Times*, 2 May 2009; PGN-ed] http://www.nytimes.com/2009/05/02/nyregion/02nuke.html?hp
Drunk driving defendants demand to see source code for testing machines, Minnesota state supreme court rules they have that right, but machine maker refuses citing trade secrecy. http://www.twincities.com/news/ci_12267906?source=rss
http://www.rollcall.com/issues/54_125/guest/34584-1.html?type=printer_friendly Robert F. Bauer and Trevor Potter are attorneys in private practice, specializing in election law. Bauer served as general counsel to the Obama presidential campaign, and Potter was general counsel to the McCain presidential campaign. Robert F. Bauer and Trevor Potter, Next Phase of Election Reform: Start With Facts, 5 May 2009 As the general counsel to the Obama and McCain campaigns, we had our disagreements - a fair number of them, as a matter of fact. But we share a deep commitment to fair and well-run elections in which all qualified voters have the opportunity to vote, and all the votes that they cast are accurately counted. Looking back on the 2008 elections, we have no doubt that reforms in the administration of elections in this country are needed if we are to meet these standards. We also believe such reforms can be achieved, with potentially transformative success for the American voter. It may be news to many readers that reforms are still needed. The media widely reported a smooth election, and in some places, those reports were accurate. The problems - and there were many, scattered across the country - received comparatively little attention because the outcome of the voting was clear. State voter registration lists suffered from various levels of inaccuracies, there were controversies over registration drives, the lines for early voting almost overwhelmed the system in some states, and absentee ballots often reached voters too late to be cast, especially for armed forces members overseas. And on Election Day, there were many reports of more long lines, inadequate ballots, malfunctioning machines and voters turned away because of registration issues across the country. If the election had been close, there would have been legal controversies over counting hundreds of thousands of absentee and provisional ballots in key states. ... Data provide the reality check that forecloses the most extreme positions. Unfortunately, our state and local governments do not generate, let alone make public, the most basic information on how well the system is working. Many states cannot tell you how many people showed up to vote on Election Day. Other states have no idea how many voters are registered or how voters cast their ballots. What little data we have suggest that jurisdictions have widely variable numbers of provisional ballots and markedly different ballot discard rates. Even here, however, we lack enough information to figure out why that is so. It is essential that the data collected is distilled into a usable form. Voters need a readily accessible metric to hold their government accountable for missteps and reward those who perform well. Policymakers need solid, comparative data to referee the inevitable fights that take place between reformers, parties, candidates and election administrators over whether the system is working. Election administrators need a strategy for sorting through widely varying local practices to identify the best ones. A critical step toward the production of this data is the Democracy Index, proposed by Heather Gerken of Yale Law School, which would rank states and local election systems based on performance. Such an index would function like a U.S. News and World Report ranking for colleges, pulling together basic information that matters to voters: How long were the lines? How many ballots got discarded? How often did machines break down? This is the kind of solution that should attract strong bipartisan support. Rather than adopting a top-down, command-and-control approach, it relies on a market-based solution, looking to "sunshine" - the plain light cast by the facts - to motivate responsible officials to do better. Rather than mandate uniform national standards, it takes advantage of local variation to spot and surface good policy. What's most attractive about a proposal like Gerken's is that it should lay the groundwork for well-reasoned reforms. With better data, we should be able to avoid fruitless discussions about the things that don't matter and focus on the things that do. Reliable performance data, in our view, would make visible the costs associated with our current registration system, potentially moving us toward a system of automatic voter registration by states, which in turn would help eliminate the conflicts over the role of private registration activity. Reliable performance data would, we also suspect, help advance discussion of the role and rules for early voting and give election administrators the ammunition that they need to fight for the resources that they have so long done without. Agreement on these issues will not always be easy. But good data offer a shared starting point for discussions about the future path of reform. When President Barack Obama and Secretary of State Hillary Rodham Clinton were Senators, both proposed bills that would make the Democracy Index a reality. The problems that we saw during the 2008 elections confirm the importance of passing just such a bill and giving at long last a strong factual foundation to the urgent business of reform - and a strong incentive to elected officials, administrators and parties to get on with the hard work ahead. 2009 c Roll Call Inc. All rights reserved.
[From Dave Farber's IP distribution] http://www.huffingtonpost.com/richard-a-clarke/obamas-challenge-in-cyber_b_199926.html?view=print In the next few days President Obama will decide whether he will live up to his campaign promises about dealing seriously with the challenge of cyber security by creating a White House office to direct government activity and coordinate with the private sector. None of the options being served up to him will create the stand alone White House office that is needed to provide the leadership on this issue. The reasons that this decision is important have been spread across the media this last month. Among the facts revealed are that foreign intelligence services have penetrated the control systems of the US electric power grid and have left behind "logic bombs" and "trap doors;" data about America's latest fighter aircraft, the F-35 Lightning II, has been copied off the networks of defense contractors and sent overseas; the Pentagon plans to appoint a new four star general to run a new Cyber Command based on the National Security Agency (NSA); and a National Academy of Sciences blue ribbon panel has urged caution about the US engaging in offensive cyber war.
Boston city employees could not be paid by direct deposit on 1 May 2009, as a result of an unspecified computer problem. The city has 17,000 employees, but it was not clear how many of those were affected. [Source: Andrew Ryan and Michael Levenson, *The Boston Globe*, 1 May 2009: PGN-ed] http://www.boston.com/news/local/breaking_news/2009/05/computer_glitch.html
Rohan Sullivan, Associated Press, Sydney, Australia, 7 May 2009, http://www.miamiherald.com/news/world/AP/story/1037803.html Teenage hiker David Iredale used his cell phone to call Australia's equivalent of 911, SEVEN TIMES pleading for rescue after he became lost in tough scrubland and ran out of water in 100-degree (37 C) heat. Each time he got through, he was told he needed to give a street address before an ambulance could be sent. Shortly after the final call, Ireland collapsed and died of thirst. A subsequent inquiry identified deep flaws in the OZ emergency response system — including an "astonishing lack of empathy" but the operators.
Brian Krebs, *The Washington Post*, 4 May 2009 Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents. Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file. ... http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html http://wikileaks.org/wiki/Over_8M_Virginian_patient_records_held_to_ransom,_30_Apr_2009
[From Dave Farber's IP] [Source: Henry K. Lee, UC hacking leaves 160,000 at risk of ID theft, *San Francisco Chronicle*, 8 May 2009; PGN-ed] Overseas hackers may have stolen confidential information belonging to tens of thousands of students and alumni at UC Berkeley and Mills College after gaining access to computer databases at the Berkeley campus' health services center. The databases contained Social Security numbers, health-insurance information and non-treatment medical information, such as immunization records and names of some of the doctors that people may have seen and dates of medical visits, said campus spokeswoman Janet Gilmore. The hackers had access to the information for six months before they were discovered. The breach exposed 160,000 people to possible identity theft, Gilmore said. The university is contacting potential victims, who should consider placing a fraud alert on their credit reporting accounts. Among those at risk are 3,400 students at Mills College in Oakland who received, or were eligible to receive, health care at UC Berkeley. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/05/08/BAPA17H89B.DTL Archives: https://www.listbox.com/member/archive/247/=now
Getting users to choose good passwords and not write them down is always a challenge. It's a tradeoff - if you make the requirements too loose, then an attacker can guess the password. Make it too complex, and users have to write them down. The rules should be proportional to the sensitivity of the data that's accessible - read-only access to a newspaper shouldn't require as strong a password as financial or health information. In the "too loose" category, the extreme case I've run into was a web site used for storing personnel information - which should have had relatively strong requirements - that required a two character password. No quality restrictions, no frequency of changes, nothing. Bad choice. Today, I ran into the other end of the spectrum. A site that requires passwords that: * have a minimum length of 9 characters * must contain two upper and two lower case characters * must contain two digits and two special characters * must be different from the last 9 passwords you've used * must not contain a single quote But the kicker: passwords may not contain any word of two letters or more. That's apparently determined (as best as I can tell through trial and error) by comparing every substring to a dictionary. So a password like 97to$%ABC isn't acceptable, because "to" is a word. And 3-5zq?jbeLN isn't valid either, because "be" is a word. Presumably a1b2c3d4e5** would be a valid password, though. (I didn't try that one.) The helpful support person suggested not having any two letters in sequence to avoid tripping over the rule. Human usability, anyone? Oh, and the password expires every 60 days, so just about when you've come up with something that matches their criteria, it's time to change again. Now granted this site has some sensitive information, but wouldn't it make more sense to use certificate-based authentication, which is far harder to attack in a brute force manner than passwords? (Assuming, that is, that you're not using certificates with MD5 signatures.) I'd bet that 90% of their users have the passwords written down.
LexisNexis Warns 32,000 of Possible Data Breach [WINS radio news] The LexisNexis online information service is warning 32,000 people their personal information may have been improperly accessed in a credit card fraud scheme that postal officials say bilked hundreds. New York-based LexisNexis says in a letter mailed Friday that former customers of the service may have viewed information including names, birth dates and Social Security numbers. rest: http://www.1010wins.com/32K-May-Be-Victims-of-Breach/4314834
Brian Stelter, TV Networks Frustrated by Lengthy Ratings Delay, *The New York Times*, 6 May 2009 http://tvdecoder.blogs.nytimes.com/author/brian-stelter/ http://tvdecoder.blogs.nytimes.com/2009/05/06/tv-networks-frustrated-by-lengthy-ratings-delay/?ref=business ABC is deciding in the next two weeks whether to renew the TV show Castle. But the nation's television networks have not received the ratings for Castle or for any other show since Saturday. Nielsen Media Research, in the midst of a systems breakdown, has failed to deliver ratings for four days in a row, and the networks are increasingly impatient. Without the overnight ratings that decide the fates of shows, producers and sometimes executives, the networks are flying blind only days before they make pivotal decisions about next season's schedules. Imagine running a movie theater without knowing how many tickets are being sold. Nielsen attributed the delay to unspecified `server issues'. The overnight ratings for Sunday, Monday and Tuesday are delayed, as well as the broader TV rankings for last week. ``Since it's necessary to release the data in sequence, we must process Sunday's TV ratings prior to the release of any days this week. We're working around the clock to get the TV ratings back on schedule.''
Dark Reading (04 May 2009) Higgins, Kelly Jackson, ACM TechNews, 8 May 2009 University of California-Santa Barbara (UCSB) researchers temporarily commandeered an infamous botnet known for stealing financial data and found that the threat it represents is even greater than had been originally assumed. The Torpig/Sinowal/Anserin mini-botnet targets organizations and users to steal bank account information or other sensitive personal data. It is considered more dangerous than big-name botnets because of its small scale and stealthiness. Torpig uses drive-by download attacks as its initial mode of infection, and upon infection the botnet can unleash crafty phishing attacks that produce bogus but authentic-looking Web pages and forms that trick users into exposing their credentials. The UCSB researchers accumulated approximately 70 GB of data for the 10 days they were in control of Torpig, and in that period the botnet stole banking credentials of 8,310 accounts from more than 400 financial institutions, including PayPal, Capital One, E-Trade, and Chase. Nearly half of the 1,660 stolen debit and credit card accounts the researchers counted belonged to victims in the United States. "The level of sophistication, the amount of data that it is able to steal, and the fact that it has been active for more than three years is truly remarkable," says UCSB researcher Brett Stone-Gross. The researchers' disclosures provoked debate on whether the information they exposed about Torpig, its workings, and its victims could compromise efforts to eventually undo the botnet. "This [research] does create a road map ... for the [botnet] criminals to fix, and not just for others to exploit," says RSA's Sean Brady. http://www.darkreading.com/security/client/showArticle.jhtml;jsessionid=QOOXXFKK3IM54QSNDLPCKHSCJUNN2JVN?articleID=217201422
[This is a scary excerpt from a recent post in alt.folklore.computers. GW] Unlike you, I actually still have a job. Guess what I do? I'm a Database Manager. I've had to deal with and fix more f**kups than you've had hot dinners. For example, a current task is updating the TACO table released by the Illinois Environmental Protection Agency. Standard procedure is to compare the current update to the previous release and check for discrepancies. Now, it's possible that the CAS number of Tin that was incorrect in the old table (440-31-5 instead of 7440-31-5) was a typo on the part of the person entering the data. But when I noticed the CAS number of bis(2-chloroisopropyl)ether was 39638-32-9 instead of 108-60-1, that is definitely NOT a typo (unless the person entering the data sneezed at that moment.) It was clearly a f**kup on the part of the state, obviously caused by the fact that bis(2-chloroisopropyl)ether & 2,2'- dichlorodiisopropylether are both C6 H12 CL2 O.
Yesterday I noticed an item on sale for a great price so I picked up four and proceeded to the checkout. When the cashier rung up the items oddly the fourth was charged at the non sale price. We quickly surmised that there was probably a limit of three available at the sale price. Since I wasn't interested in paying the normal price for the fourth item, I asked to take that one back. Normally this is a quick routine matter. The cashier voids the item by hitting a key on the cash register and then re-scans the item to deduct it from the tab. What happened next was bizarre. Instead of deducting the normal price of $3.49 that I was charged, it deducted the sale price of $1.88. Hmmm.... I was assuming that the register would have used a stack model, removing the last item that had transacted at $3.49. Maybe the register software was using FIFO instead ? Then it got more surreal. Fortunately no-one was waiting in line so the cashier voided the other 3 items, hoping to clear the FIFO. But all 4 items deducted the sale price of $1.88 from the total. None of them deducted the normal price of $3.49. So here we have the strange arithmetic of A+B+C+D - (A+B+C+D) > 0. In fact if the cash register software is to be believed $0.00 = $1.61 which is the amount remaining on the cash register that I would pay for a null basket. The only way out was to void the entire transaction (which required the manager to intervene) and start over. So here we have a state machine that enables easy access to an unfavorable state (overpaying for a item) but difficult to transition back out to the favored state (because the manager is required). This creates something of a trap that will result in some customers overpaying. If you make the mistake of bring sale items that exceed the limit (easy to do since the limit was not posted), you will overpay unless you and the cashier take these actions : 1) Notice the overcharge (I would have missed this had the cashier not been alert) 2) Notice that voiding an item does not remove the overcharge and/or : 3) Call a manager to void the entire transaction This occurred at a large USA retail chain with thousands of stores and millions of customers. This retailer stands to reap a windfall profit from customers who don't notice that they are being overcharged. If a similar situation occurred in casino gaming machines you can bet that regulators would become quickly involved.
(Re: RISKS 25.60) [Apologies for missing this one earlier. Thanks to JK for poking me. PGN] It would be good if people would do the research necessary to avoid spreading misinformation. This theft of credit-card numbers was not accomplished by eavesdropping on WiFi networks, but rather through the use of a skimmer. See, for example, http://awfulmarketing.com/2009/02/09/credit-card-numbers-stolen-from-best-buy-in-fl/ for additional details.
[The paper deadline is 10 May 2009. Strangely, security is not explicitly mentioned in the list of potential topic areas. PGN] 8th International Workshop on Real-Time Networks (RTN'09) http://www.hurray.isep.ipp.pt/rtn09 June 30, 2009, Dublin, Ireland in conjunction with the 21th Euromicro Intl Conference on Real-Time Systems (ECRTS'09) http://ecrts09.dsg.cs.tcd.ie/ The workshop is seeking original research and position papers dealing with hot topics in real-time networks.
Please report problems with the web pages to the maintainer