The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 66

Sunday 10 May 2009

Contents

FAA ATC shutdown
Linda Gorman
Documented risks to FAA computers
John Sawyer
Pipe Leak at NY Indian Point Nuclear Plant Raises Concerns
Gabe Goldberg
Minnesota court says defendants have right to see source code
Mark Thorson
Obama, McCain legal teams promote state-level clean election practices
David Lesher
Richard A. Clarke: Obama's Challenge in Cyberspace
David Farber
`Computer glitch' disrupts Boston city payroll
Monty Solomon
Teenage hiker's calls ignored; no street address
Rohan Sullivan
Hackers Break Into Virginia Health Professions Database, Demand Ransom
Brian Krebs via Monty Solomon
UCBerkeley health service hacked, with 160,000 at risk of ID theft
Henry Lee via Ari Ollikainen
How to guarantee bad passwords
Jeremy Epstein
Lexis Nexis does an Oopsis. Data breach...
Danny Burstein
"Server issues" delay Nielsen ratings
George Mannes
Researchers Take Over Dangerous Botnet
ACM TechNews
Materials Database Problem
Gene Wirchenko
Strange cash register arithmetic favors the house
Bart Thielges
Re: Credit card numbers *not* plucked out of the air at FL Best Buy
Jonathan Kamens
Real-Time Networks RTN'09
ECRTS
Info on RISKS (comp.risks)

FAA ATC shutdown

"Linda Gorman" <linda@i2i.org>
Thu, 7 May 2009 09:34:17 -0600

Civilian air-traffic control system computer networks have been penetrated
multiple times in recent years, including an attack that partially shut down
ATC systems in Alaska.  The FAA is expecting to spend about $20 billion in
an upgrade over the next 15 years.  [Source: *Wall Street Journal*, 7 May
2009; PGN-ed]
http://online.wsj.com/article/SB124165272826193727.html

  [RISKS readers will recall that the previous attempted upgrade cost about
  $4B before it was scuttled.  PGN]

As an economist I'm primarily interested in this case for two reasons: a)
whether as a practical and theoretical matter the US government can purchase
and maintain modern information systems for specialized civilian
applications given that the FAA has been trying and failing to do so for 20
years even as private corporations created for that purpose, entities like
Nav Canada and even the US Postal Service, have been more successful, and b)
the application that this failure has to the prevailing mythology of how
expanding government control over health information storage architecture
will improve care and lower costs. To date the myth or electronic systems to
the rescue continues to grab people even though almost all of the real world
tests of the effects of expanded government control suggest that the most
likely result it higher costs and degraded care.

Linda Gorman, Director, Health Care Policy Center, Independence Institute,
Golden, Colorado


Documented risks to FAA computers

John Sawyer <jpgsawyer@googlemail.com>
Thu, 7 May 2009 09:35:02 +0100

I thought this would be of interest to RISKS readers.

http://www.flightglobal.com/articles/2009/05/06/326132/us-air-traffic-exposed-to-serious-harm-from-cyber.html

Scary stuff if the risks are as serious discussed.

  [See also CNET.  PGN]
  http://news.cnet.com/8301-1009_3-10236028-83.html?tag=newsEditorsPicksArea.0

  [The risks are not newly identified.  For example, see my Computer
  Security in Aviation: Vulnerabilities, Threats, and Risks, International
  Conference on Aviation Safety and Security in the 21st Century, 13-15
  January 1997, for the White House (Gore) Commission on Safety and
  Security.
    http://www.csl.sri.com/neumann/air.html
  However, perhaps the awareness climate is finally changing.  PGN]


Pipe Leak at NY Indian Point Nuclear Plant Raises Concerns

Gabe Goldberg <gabe@gabegold.com>
Fri, 01 May 2009 14:39:32 -0400

Not directly a computer risk but it raises the question of how 100,000
gallons of water could go missing; the leak was only discovered when someone
noticed water flowing across the floor. Funny, that's the same technology by
which my wife just notices a basement leak in our house.  I'm thinking about
installing a water detector -- maybe Entergy should also.

 - ----

... it has raised concerns about the monitoring of decades-old buried pipes
at the nation's nuclear plants, many of which are applying for renewal of
their operating licenses. Indian Point 2, whose 40-year operating license
expires in 2013, already faces harsh criticism from New York State and
county officials who want it shut down.

Representative Edward J. Markey, the Massachusetts Democrat who heads a
House subcommittee on energy and the environment, said the leak raised
serious questions about Entergy's and the regulatory commission's oversight.
"This leak may demonstrate a systemic failure of the licensee and the
commission to inspect critical buried pipes in a manner sufficient to
guarantee the public health and safety," he wrote to the commission's
chairman, Dale Klein, in a letter on Thursday. The letter was also signed by
Representative John J. Hall, whose district includes the plant. The
congressmen said they were "shocked" that a leak that big could develop
without detection and called the system for detecting such problems
"profoundly inadequate."  [Source: Matthew Wald, *The New York Times*, 2 May
2009; PGN-ed]
  http://www.nytimes.com/2009/05/02/nyregion/02nuke.html?hp


Minnesota court says defendants have right to see source code

Mark Thorson <eee@sonic.net>
Sun, 03 May 2009 17:55:34 -0700

Drunk driving defendants demand to see source code for testing machines,
Minnesota state supreme court rules they have that right, but machine maker
refuses citing trade secrecy.
  http://www.twincities.com/news/ci_12267906?source=rss


Obama, McCain legal teams promote state-level clean election practices

"David Lesher" <wb8foz@panix.com>
Fri, 8 May 2009 01:06:52 -0400 (EDT)

http://www.rollcall.com/issues/54_125/guest/34584-1.html?type=printer_friendly

Robert F. Bauer and Trevor Potter are attorneys in private practice,
specializing in election law. Bauer served as general counsel to the Obama
presidential campaign, and Potter was general counsel to the McCain
presidential campaign.

Robert F. Bauer and Trevor Potter,
Next Phase of Election Reform: Start With Facts, 5 May 2009

As the general counsel to the Obama and McCain campaigns, we had our
disagreements - a fair number of them, as a matter of fact. But we share a
deep commitment to fair and well-run elections in which all qualified voters
have the opportunity to vote, and all the votes that they cast are
accurately counted.  Looking back on the 2008 elections, we have no doubt
that reforms in the administration of elections in this country are needed
if we are to meet these standards. We also believe such reforms can be
achieved, with potentially transformative success for the American voter.

It may be news to many readers that reforms are still needed. The media
widely reported a smooth election, and in some places, those reports were
accurate. The problems - and there were many, scattered across the country -
received comparatively little attention because the outcome of the voting
was clear.

State voter registration lists suffered from various levels of
inaccuracies, there were controversies over registration drives, the
lines for early voting almost overwhelmed the system in some states,
and absentee ballots often reached voters too late to be cast,
especially for armed forces members overseas.

And on Election Day, there were many reports of more long lines,
inadequate ballots, malfunctioning machines and voters turned away
because of registration issues across the country.

If the election had been close, there would have been legal
controversies over counting hundreds of thousands of absentee and
provisional ballots in key states.
...

Data provide the reality check that forecloses the most extreme
positions. Unfortunately, our state and local governments do not
generate, let alone make public, the most basic information on how
well the system is working. Many states cannot tell you how many
people showed up to vote on Election Day. Other states have no idea
how many voters are registered or how voters cast their ballots. What
little data we have suggest that jurisdictions have widely variable
numbers of provisional ballots and markedly different ballot discard
rates. Even here, however, we lack enough information to figure out
why that is so.

It is essential that the data collected is distilled into a usable form.
Voters need a readily accessible metric to hold their government accountable
for missteps and reward those who perform well.

Policymakers need solid, comparative data to referee the inevitable
fights that take place between reformers, parties, candidates and
election administrators over whether the system is working. Election
administrators need a strategy for sorting through widely varying
local practices to identify the best ones.

A critical step toward the production of this data is the Democracy
Index, proposed by Heather Gerken of Yale Law School, which would rank
states and local election systems based on performance. Such an index
would function like a U.S. News and World Report ranking for colleges,
pulling together basic information that matters to voters: How long
were the lines? How many ballots got discarded? How often did machines
break down?

This is the kind of solution that should attract strong bipartisan
support. Rather than adopting a top-down, command-and-control
approach, it relies on a market-based solution, looking to "sunshine"
- the plain light cast by the facts - to motivate responsible
officials to do better. Rather than mandate uniform national
standards, it takes advantage of local variation to spot and surface
good policy.

What's most attractive about a proposal like Gerken's is that it
should lay the groundwork for well-reasoned reforms. With better data,
we should be able to avoid fruitless discussions about the things that
don't matter and focus on the things that do. Reliable performance
data, in our view, would make visible the costs associated with our
current registration system, potentially moving us toward a system of
automatic voter registration by states, which in turn would help
eliminate the conflicts over the role of private registration
activity.

Reliable performance data would, we also suspect, help advance
discussion of the role and rules for early voting and give election
administrators the ammunition that they need to fight for the
resources that they have so long done without.

Agreement on these issues will not always be easy. But good data offer
a shared starting point for discussions about the future path of
reform.

When President Barack Obama and Secretary of State Hillary Rodham
Clinton were Senators, both proposed bills that would make the
Democracy Index a reality. The problems that we saw during the 2008
elections confirm the importance of passing just such a bill and
giving at long last a strong factual foundation to the urgent business
of reform - and a strong incentive to elected officials,
administrators and parties to get on with the hard work ahead.

2009 c Roll Call Inc. All rights reserved.


Richard A. Clarke: Obama's Challenge in Cyberspace

David Farber <dave@farber.net>
Fri, 8 May 2009 13:59:15 -0400

  [From Dave Farber's IP distribution]

http://www.huffingtonpost.com/richard-a-clarke/obamas-challenge-in-cyber_b_199926.html?view=print

In the next few days President Obama will decide whether he will live up to
his campaign promises about dealing seriously with the challenge of cyber
security by creating a White House office to direct government activity and
coordinate with the private sector. None of the options being served up to
him will create the stand alone White House office that is needed to provide
the leadership on this issue.

The reasons that this decision is important have been spread across the
media this last month. Among the facts revealed are that foreign
intelligence services have penetrated the control systems of the US electric
power grid and have left behind "logic bombs" and "trap doors;" data about
America's latest fighter aircraft, the F-35 Lightning II, has been copied
off the networks of defense contractors and sent overseas; the Pentagon
plans to appoint a new four star general to run a new Cyber Command based on
the National Security Agency (NSA); and a National Academy of Sciences blue
ribbon panel has urged caution about the US engaging in offensive cyber war.


`Computer glitch' disrupts Boston city payroll

Monty Solomon <monty@roscom.com>
Sat, 2 May 2009 01:25:53 -0400

Boston city employees could not be paid by direct deposit on 1 May 2009, as
a result of an unspecified computer problem.  The city has 17,000 employees,
but it was not clear how many of those were affected.  [Source: Andrew Ryan
and Michael Levenson, *The Boston Globe*, 1 May 2009: PGN-ed]
  http://www.boston.com/news/local/breaking_news/2009/05/computer_glitch.html


Teenage hiker's calls ignored; no street address

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 8 May 2009 13:28:42 PDT

Rohan Sullivan, Associated Press, Sydney, Australia, 7 May 2009,
  http://www.miamiherald.com/news/world/AP/story/1037803.html

Teenage hiker David Iredale used his cell phone to call Australia's
equivalent of 911, SEVEN TIMES pleading for rescue after he became lost in
tough scrubland and ran out of water in 100-degree (37 C) heat.  Each time
he got through, he was told he needed to give a street address before an
ambulance could be sent. Shortly after the final call, Ireland collapsed and
died of thirst.  A subsequent inquiry identified deep flaws in the OZ
emergency response system -- including an "astonishing lack of empathy"
but the operators.


Hackers Break Into Virginia Health Professions Database, Demand Ransom

Monty Solomon <monty@roscom.com>
Tue, 5 May 2009 23:34:18 -0400

Brian Krebs, *The Washington Post*, 4 May 2009

Hackers last week broke into a Virginia state Web site used by pharmacists
to track prescription drug abuse. They deleted records on more than 8
million patients and replaced the site's homepage with a ransom note
demanding $10 million for the return of the records, according to a posting
on Wikileaks.org, an online clearinghouse for leaked documents.

Wikileaks reports that the Web site for the Virginia Prescription Monitoring
Program was defaced last week with a message claiming that the database of
prescriptions had been bundled into an encrypted, password-protected
file. ...

http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html
http://wikileaks.org/wiki/Over_8M_Virginian_patient_records_held_to_ransom,_30_Apr_2009


UCBerkeley health service hacked, with 160,000 at risk of ID theft

Ari Ollikainen <ari@olteco.com>
May 8, 2009 3:24:58 PM EDT

  [From Dave Farber's IP]

[Source: Henry K. Lee, UC hacking leaves 160,000 at risk of ID theft,
*San Francisco Chronicle*, 8 May 2009; PGN-ed]

Overseas hackers may have stolen confidential information belonging to tens
of thousands of students and alumni at UC Berkeley and Mills College after
gaining access to computer databases at the Berkeley campus' health services
center.  The databases contained Social Security numbers, health-insurance
information and non-treatment medical information, such as immunization
records and names of some of the doctors that people may have seen and dates
of medical visits, said campus spokeswoman Janet Gilmore.  The hackers had
access to the information for six months before they were discovered. The
breach exposed 160,000 people to possible identity theft, Gilmore said. The
university is contacting potential victims, who should consider placing a
fraud alert on their credit reporting accounts.  Among those at risk are
3,400 students at Mills College in Oakland who received, or were eligible to
receive, health care at UC Berkeley.

http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/05/08/BAPA17H89B.DTL
Archives: https://www.listbox.com/member/archive/247/=now


How to guarantee bad passwords

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 30 Apr 2009 14:26:10 -0400

Getting users to choose good passwords and not write them down is always a
challenge. It's a tradeoff - if you make the requirements too loose, then an
attacker can guess the password. Make it too complex, and users have to
write them down. The rules should be proportional to the sensitivity of the
data that's accessible - read-only access to a newspaper shouldn't require
as strong a password as financial or health information.

In the "too loose" category, the extreme case I've run into was a web site
used for storing personnel information - which should have had relatively
strong requirements - that required a two character password. No quality
restrictions, no frequency of changes, nothing.  Bad choice.

Today, I ran into the other end of the spectrum. A site that requires
passwords that:
* have a minimum length of 9 characters
* must contain two upper and two lower case characters
* must contain two digits and two special characters
* must be different from the last 9 passwords you've used
* must not contain a single quote

But the kicker: passwords may not contain any word of two letters or
more. That's apparently determined (as best as I can tell through trial and
error) by comparing every substring to a dictionary. So a password like
97to$%ABC isn't acceptable, because "to" is a word. And 3-5zq?jbeLN isn't
valid either, because "be" is a word. Presumably a1b2c3d4e5** would be a
valid password, though. (I didn't try that one.)  The helpful support person
suggested not having any two letters in sequence to avoid tripping over the
rule.  Human usability, anyone?

Oh, and the password expires every 60 days, so just about when you've come
up with something that matches their criteria, it's time to change again.

Now granted this site has some sensitive information, but wouldn't it make
more sense to use certificate-based authentication, which is far harder to
attack in a brute force manner than passwords? (Assuming, that is, that
you're not using certificates with MD5 signatures.)

I'd bet that 90% of their users have the passwords written down.


Lexis Nexis does an Oopsis. Data breach...

danny burstein <dannyb@panix.com>
Fri, 1 May 2009 21:54:19 -0400 (EDT)

LexisNexis Warns 32,000 of Possible Data Breach [WINS radio news]

The LexisNexis online information service is warning 32,000 people their
personal information may have been improperly accessed in a credit card
fraud scheme that postal officials say bilked hundreds.

New York-based LexisNexis says in a letter mailed Friday that former
customers of the service may have viewed information including names, birth
dates and Social Security numbers.

rest:  http://www.1010wins.com/32K-May-Be-Victims-of-Breach/4314834


"Server issues" delay Nielsen ratings

George Mannes <gmannes@gmail.com>
Wed, 6 May 2009 14:21:52 -0400

Brian Stelter, TV Networks Frustrated by Lengthy Ratings Delay,
*The New York Times*, 6 May 2009
http://tvdecoder.blogs.nytimes.com/author/brian-stelter/
http://tvdecoder.blogs.nytimes.com/2009/05/06/tv-networks-frustrated-by-lengthy-ratings-delay/?ref=business

ABC is deciding in the next two weeks whether to renew the TV show Castle.
But the nation's television networks have not received the ratings for
Castle or for any other show since Saturday. Nielsen Media Research, in the
midst of a systems breakdown, has failed to deliver ratings for four days in
a row, and the networks are increasingly impatient.

Without the overnight ratings that decide the fates of shows, producers and
sometimes executives, the networks are flying blind only days before they
make pivotal decisions about next season's schedules. Imagine running a
movie theater without knowing how many tickets are being sold.

Nielsen attributed the delay to unspecified `server issues'.  The overnight
ratings for Sunday, Monday and Tuesday are delayed, as well as the broader
TV rankings for last week.  ``Since it's necessary to release the data in
sequence, we must process Sunday's TV ratings prior to the release of any
days this week.  We're working around the clock to get the TV ratings back
on schedule.''


Researchers Take Over Dangerous Botnet

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 8 May 2009 14:13:03 -0400

Dark Reading (04 May 2009) Higgins, Kelly Jackson, ACM TechNews,  8 May 2009

University of California-Santa Barbara (UCSB) researchers temporarily
commandeered an infamous botnet known for stealing financial data and found
that the threat it represents is even greater than had been originally
assumed.  The Torpig/Sinowal/Anserin mini-botnet targets organizations and
users to steal bank account information or other sensitive personal data.
It is considered more dangerous than big-name botnets because of its small
scale and stealthiness.  Torpig uses drive-by download attacks as its
initial mode of infection, and upon infection the botnet can unleash crafty
phishing attacks that produce bogus but authentic-looking Web pages and
forms that trick users into exposing their credentials.  The UCSB
researchers accumulated approximately 70 GB of data for the 10 days they
were in control of Torpig, and in that period the botnet stole banking
credentials of 8,310 accounts from more than 400 financial institutions,
including PayPal, Capital One, E-Trade, and Chase.  Nearly half of the 1,660
stolen debit and credit card accounts the researchers counted belonged to
victims in the United States.  "The level of sophistication, the amount of
data that it is able to steal, and the fact that it has been active for more
than three years is truly remarkable," says UCSB researcher Brett
Stone-Gross.  The researchers' disclosures provoked debate on whether the
information they exposed about Torpig, its workings, and its victims could
compromise efforts to eventually undo the botnet.  "This [research] does
create a road map ... for the [botnet] criminals to fix, and not just for
others to exploit," says RSA's Sean Brady.
http://www.darkreading.com/security/client/showArticle.jhtml;jsessionid=QOOXXFKK3IM54QSNDLPCKHSCJUNN2JVN?articleID=217201422


Materials Database Problem

Gene Wirchenko <genew@ocis.net>
Wed, 06 May 2009 20:39:32 -0700

  [This is a scary excerpt from a recent post in alt.folklore.computers.  GW]

Unlike you, I actually still have a job. Guess what I do?  I'm a Database
Manager. I've had to deal with and fix more f**kups than you've had hot
dinners.

For example, a current task is updating the TACO table released by the
Illinois Environmental Protection Agency.  Standard procedure is to compare
the current update to the previous release and check for discrepancies.

Now, it's possible that the CAS number of Tin that was incorrect in the old
table (440-31-5 instead of 7440-31-5) was a typo on the part of the person
entering the data.

But when I noticed the CAS number of bis(2-chloroisopropyl)ether was
39638-32-9 instead of 108-60-1, that is definitely NOT a typo (unless the
person entering the data sneezed at that moment.)

It was clearly a f**kup on the part of the state, obviously caused by the
fact that bis(2-chloroisopropyl)ether & 2,2'- dichlorodiisopropylether are
both C6 H12 CL2 O.


Strange cash register arithmetic favors the house

Bart Thielges <Bart.Thielges@synopsys.com>
Wed, 6 May 2009 11:46:47 -0700

Yesterday I noticed an item on sale for a great price so I picked up four
and proceeded to the checkout.  When the cashier rung up the items oddly the
fourth was charged at the non sale price.  We quickly surmised that there
was probably a limit of three available at the sale price.

Since I wasn't interested in paying the normal price for the fourth item, I
asked to take that one back.  Normally this is a quick routine matter.  The
cashier voids the item by hitting a key on the cash register and then
re-scans the item to deduct it from the tab.  What happened next was
bizarre.  Instead of deducting the normal price of $3.49 that I was charged,
it deducted the sale price of $1.88.  Hmmm.... I was assuming that the
register would have used a stack model, removing the last item that had
transacted at $3.49.  Maybe the register software was using FIFO instead ?
Then it got more surreal.

Fortunately no-one was waiting in line so the cashier voided the other 3
items, hoping to clear the FIFO.  But all 4 items deducted the sale price of
$1.88 from the total.  None of them deducted the normal price of $3.49.  So
here we have the strange arithmetic of A+B+C+D - (A+B+C+D) > 0.  In fact if
the cash register software is to be believed $0.00 = $1.61 which is the
amount remaining on the cash register that I would pay for a null basket.

The only way out was to void the entire transaction (which required the
 manager to intervene) and start over.  So here we have a state machine that
 enables easy access to an unfavorable state (overpaying for a item) but
 difficult to transition back out to the favored state (because the manager
 is required).  This creates something of a trap that will result in some
 customers overpaying.  If you make the mistake of bring sale items that
 exceed the limit (easy to do since the limit was not posted), you will
 overpay unless you and the cashier take these actions :


1) Notice the overcharge (I would have missed this had the cashier not been
 alert)

2) Notice that voiding an item does not remove the overcharge and/or :

3) Call a manager to void the entire transaction

This occurred at a large USA retail chain with thousands of stores and
millions of customers.  This retailer stands to reap a windfall profit from
customers who don't notice that they are being overcharged.

If a similar situation occurred in casino gaming machines you can bet that
regulators would become quickly involved.


Re: Credit card numbers *not* plucked out of the air at FL Best Buy

Jonathan Kamens <jik@kamens.brookline.ma.us>
Mon, 9 Mar 2009 08:57:21 -0400
  (Re: RISKS 25.60)

  [Apologies for missing this one earlier.  Thanks to JK for poking me.  PGN]

It would be good if people would do the research necessary to avoid
spreading misinformation.

This theft of credit-card numbers was not accomplished by eavesdropping on
WiFi networks, but rather through the use of a skimmer.  See, for example,
http://awfulmarketing.com/2009/02/09/credit-card-numbers-stolen-from-best-buy-in-fl/
for additional details.


Real-Time Networks RTN'09

Infos about ECRTS <em-rt-info@wu-wien.ac.at>
Wed, 6 May 2009 11:34:42 +0200

  [The paper deadline is 10 May 2009.  Strangely, security is not
  explicitly mentioned in the list of potential topic areas.  PGN]

8th International Workshop on Real-Time Networks (RTN'09)
http://www.hurray.isep.ipp.pt/rtn09
June 30, 2009, Dublin, Ireland

in conjunction with the
21th Euromicro Intl Conference on Real-Time Systems (ECRTS'09)
http://ecrts09.dsg.cs.tcd.ie/

The workshop is seeking original research and position papers
dealing with hot topics in real-time networks.

Please report problems with the web pages to the maintainer

Top