The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 77

Tuesday 1 September 2009

Contents

UK Chinook helicopters grounded for *years* due to software problems
Danny Burstein
DNA Evidence Can Be Fabricated, Scientists Show
Monty Solomon
Computer-driven class schedules
David Lesher
Computer to blame for man's fiery death
Gene Wirchenko
RFI isn't all harmless: turns on oven
David Lesher
Pepper-spray ATMs
Jeremy Epstein
The VA erroneously informs over a thousand vets of fatal diagnosis
Rob McCool
ROTC Computer Files Found in the Public Domain
Monty Solomon
Hackers break into police computer as sting backfires
Andrew Pam
3 Indicted in Theft of 130 Million Card Numbers
Monty Solomon
AT&T unable to protect Kevin Mitnick's account
David Magda
Swiss Data Protection orders Google Streetview offline
Peter Houppermans
Canadian model gets Google to unmask nasty blogger
Simon Avery via PGN
Cannot print on Tuesdays!
Phil Colbourn
GSM's A5/1 cipher being brute forced
David Magda
The Pirate Bay Returns With Guns Blazing
jidanni
Bad questions for account retrieval
Jeremy Epstein
Take only pictures *we* like
David Lesher
Re: Kentucky election fraud indictments
Drew Dean
Stephen Albin. The Art of Software Architecture
David Schneider
Info on RISKS (comp.risks)

UK Chinook helicopters grounded for *years* due to software problems

danny burstein <dannyb@panix.com>
Tue, 25 Aug 2009 12:45:56 -0400 (EDT)

[UK news sources: UK bought Boeing helicopters, figured they'd
save money by designing their own software...]

When the [Boeing] Chinooks were delivered in 2001 at a cost of 259 million
[British pounds] - the [software] codes would have pushed the price to over
300 million - they could not be certified because of the lack of software.

They could be flown but pilots were barred from taking the controls in
cloudy conditions or at low altitude. ....  While all the discussions were
going on the Chinooks had been idle in their hangars. Between 2001 and 2007
the helicopters had to be inspected once a week and moved out of the hangars
every two years for more detailed checks, at a total cost of 560,000
[pounds].

Rest, with links to related stories and lots of interesting reader comments):
  http://www.timesonline.co.uk/tol/news/politics/article6808604.ece


DNA Evidence Can Be Fabricated, Scientists Show

Monty Solomon <monty@roscom.com>
Wed, 19 Aug 2009 00:10:08 -0400

Scientists in Israel have demonstrated that it is possible to fabricate DNA
evidence, undermining the credibility of what has been considered the gold
standard of proof in criminal cases.  The scientists fabricated blood and
saliva samples containing DNA from a person other than the donor of the
blood and saliva. They also showed that if they had access to a DNA profile
in a database, they could construct a sample of DNA to match that profile
without obtaining any tissue from that person.  "You can just engineer a
crime scene," said Dan Frumkin, lead author of the paper, which has been
published online by the journal Forensic Science International:
Genetics. "Any biology undergraduate could perform this."  [Source: Andrew
Pollack, *The New York Times*, 18 Aug 2009; PGN-ed]
  http://www.nytimes.com/2009/08/18/science/18dna.html


Computer-driven class schedules

"David Lesher" <wb8foz@panix.com>
Thu, 27 Aug 2009 18:41:32 -0400 (EDT)

  [would Ferris Bueller get the week off?]

Prince Georges [MD] Public Schools $4.1 million SchoolMax student scheduling
system has left thousands of its high school students with no schedules, and
thus no classes.

Those students have spent the first few days of school sitting in the gym,
cafeteria, or other holding areas.

While the number of still-unscheduled students has fallen from the first
day's 8000 [of 41,000 total] to roughly 2000, that does not include those in
the wrong classes; including one where administrators have, in effect,
randomly assigned students to any available class.

The saga sounds oh so familiar to RISK regulars; a big changeover, no manual
fallback scheme, approaching deadlines, with complaints about inadequate
training, and big increases in the time needed [from ~10 minutes to 45 per
student!] for core tasks.

But SchoolMax is not a new creation, nor are these issues. It was deployed
for 300,000 in the Los Angeles Unified School District, and Richmond County,
Georgia had similar issues in 2004.

So who's not learning here: SchoolMax, the school systems clients, or their
students?

Class Chaos Persists at Prince George's High Schools
<http://www.washingtonpost.com/wp-dyn/content/article/2009/08/27/AR2009082701518_pf.html>


Computer to blame for man's fiery death

Gene Wirchenko <genew@ocis.net>
Thu, 27 Aug 2009 19:03:19 -0700

A Laptop computer that burst into flames after being left on a couch is to
blame for a Vancouver man's death, prompting a public warning from the
British Columbia Coroners Service not to leave the devices on soft
furniture.  [Source: *The Daily News*, Kamloops, British Columbia, Canada,
27 Aug 2009, A4 PGN-ed]:


RFI isn't all harmless: turns on oven

"David Lesher" <wb8foz@panix.com>
Tue, 18 Aug 2009 23:28:08 -0400 (EDT)

RFI is usually an annoyance but seldom harmful. Here's an exception.
A UPI article of 18 Aug reports:

Andrei Melnikov said his Maytag Magic Chef stove beeps and turn its broiler
onto the highest setting if his phone, which he has had for about three
years, receives an incoming call while within two feet of the appliance,
WABC-TV, New York, reported Tuesday. ... He said the stove is currently
unplugged and Maytag has agreed to send a repair crew to get to the bottom
of the problem.

GSM cell phones are noted for causing audible RFI in other receivers
nearby. Looks like some Maytag ranges are equally vulnerable.

  [Also reported by David Hollman and by Kevin Connolly, who added, ``Here
  in Ireland the electrical regulations require a wall switch to isolate the
  mains supply to a cooker when not in use. It is good advice to use it.''
  PGN]


Pepper-spray ATMs

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 26 Aug 2009 10:44:01 -0400

Haven't seen this in RISKS - I first heard about it on NPR's Wait Wait
(waitwait.npr.org) as part of their truth-is-weirder-than-fiction contest,
so was initially skeptical, but it appears to be true.  Seems that some
South African ATMs are equipped with pepper spray to (under software
control) spray anyone who tampers with the machines.  According to the (UK)
Guardian, "the technology uses cameras to detect people tampering with the
card slots. Another machine then ejects pepper spray to stun the culprit
while police response teams race to the scene."  The Guardian report says
that three servicing technicians were hit while (legitimately) repairing the
machines.

It doesn't take a rocket scientist to figure out that when there's software
involved, there's opportunities for it to go wrong.  And as someone on a
blog pointed out, this technology can also be used by the bad guys - get the
ATM to trigger on a legitimate customer, and while the customer is
incapacitated, take their ATM card and whatever other valuables they have.

http://www.guardian.co.uk/world/2009/jul/12/south-africa-cash-machine-pepper-spray
(and many others, which all seem to use pretty much the same text)


The VA erroneously informs over a thousand vets of fatal diagnosis

Rob McCool <robm@robm.com>
Thu, 27 Aug 2009 14:26:30 -0700 (PDT)

http://fcw.com/articles/2009/08/26/va-erroneously-informs-vets-of-fatal-disease-diagnosis.aspx

Through a data maintenance error, the Veteran's Affairs department recently sent out automated letters to as many as 1200 veterans that they had the fatal neurological disorder known as Lou Gehrig's disease.

A diagnostic code was chosen many years ago for "unknown neurological
disorder". That itself is an example of the often problematic
"miscellaneous" hole in most categorization systems. Some things simply defy
categorization. Later, the diagnostic code was expanded to include Lou
Gehrig's disease.

Still later, the VA decided to make Lou Gehrig's disease a service-connected
disability. So they sent the automated letters to inform affected vets that
benefits were available.  Up to 1200 people were erroneously informed of
this and the office is getting more than 50 calls a day from veterans in an
understandable panic.


ROTC Computer Files Found in the Public Domain

Monty Solomon <monty@roscom.com>
Sat, 22 Aug 2009 02:04:00 -0400

Art Jahnke, Technology error exposes personal information, BU News,
20 Aug 2009

A file transfer program erroneously installed on a server in an Army Reserve
Officers' Training Corps (ROTC) office at Boston University inadvertently
exposed personal information about thousands of people affiliated with the
program. University officials say the compromised computer was taken
off-line when the breach was identified on July 28; they are working with
the U.S. Army Cadet Command to contact every person whose information was
placed at risk.

The incident involved information on 6,675 people, say University
administrators, 406 of whom are affiliated with BU. Officials believe
the rest come from ROTC branches around the country. ...

http://www.bu.edu/today/campus-life/2009/08/17/rotc-computer-files-found-public-domain


Hackers break into police computer as sting backfires

Andrew Pam <andrew@sericyb.com.au>
Tue, 18 Aug 2009 14:30:49 +0930

"An Australian Federal Police boast, on the ABC's Four Corners program
last night, about officers breaking up an underground hacker forum, has
backfired after hackers broke into a federal police computer system.

Security consultants say police appear to have been using the computer
as a honeypot to collect information on members of the forum but the
scheme came undone after the officers forgot to set a password."

http://www.theage.com.au/technology/security/hackers-break-into-police-computer-as-sting-backfires-20090818-eohc.html


3 Indicted in Theft of 130 Million Card Numbers

Monty Solomon <monty@roscom.com>
Fri, 28 Aug 2009 23:38:49 -0400

On 24 Aug 2009, Albert Gonzalez was indicted along with two unspecified
Russian conspirators.  Charges included theft of 130 million credit and
debit card numbers from late 2006 to early 2008 from various sources --
Heartland Payment Systems, 7-Eleven, Hannaford Brothers, and others.  Some
of those numbers were sold online and used in identity frauds.  Gonzalez is
already waiting trial for previous cases involving T.J. Maxx (in
Massachusetts) and the Dave & Buster restaurant chain (in New York).
[Source: Brad Stone, *The New York Times*, 18 Aug 2009; PGN-ed]
  http://www.nytimes.com/2009/08/18/technology/18card.html


AT&T unable to protect Kevin Mitnick's account

"David Magda" <dmagda@ee.ryerson.ca>
Thu, 20 Aug 2009 11:15:24 -0400 (EDT)

It's a good thing that most people are not as "high profile" as Kevin
Mitnick, as otherwise their phone records would be practically public
records:

> Over the past month, both HostedHere.net, his longtime webhost, and AT&T,
> his cellular provider since he was released from prison more than nine
> years ago, have told him they no longer want him as a customer. The
> reason: his status as a celebrity hacker makes his accounts too hard to
> defend against the legions of script kiddies who regularly attack them.
http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/

Of course the rest of AT&T customers' accounts are probably not better
protected and just as vulnerable. If Mr. Mitnick does change providers, I'm
curious to know if they'll do any better than AT&T has.

  [Also noted by David Lesher.  PGN]


Swiss Data Protection orders Google Streetview offline

Peter Houppermans <peter@houppermans.com>
Sat, 22 Aug 2009 15:28:52 +0200

The risk of not living up to your promises when you do mass surveillance:
the Swiss newspaper NZZ reports today that the Swiss office for Data
Protection (http://www.edoeb.admin.ch) has asked Google to immediately shut
down the Swiss part of Google Streetview because it does not meet Data
Protection standards - the masking of license plates and faces is
insufficient.  The (German language) article is at
http://preview.tinyurl.com/nwsl65.

I can attest to that, I had a quick browse of a place I know, and the
promised masking of faces was in quite a few cases simply absent..

The Swiss Data Protection office doesn't consider the "you can opt out if
you want" approach as acceptable, a point I can only agree with when it
comes to privacy.  I've read through a Q&A
(http://preview.tinyurl.com/muor75, no English version available) with
Google provided answers, and that contains a few classics:

(a) people would know in advance where the cars would be, "so they could act
accordingly" - a fantastic idea to move your obligation to the people you're
surveilling ("just go and hide if you don't like it")

(b) you can always have your picture removed - which only requires you to
remember where exactly you saw the camera car, several months later.

It appears Google has also offered to remove house images if so required.  I
think that's a bit much, but from what I've seen so far it would be a good
idea if they would at least obscure windows.  The resolution of the images
is in some cases sufficient to make out what's INSIDE houses close to the
street.

But hey, according to Google they should have had their curtains drawn when
Google came filming.

English translation available at http://preview.tinyurl.com/m3vokf.


Canadian model gets Google to unmask nasty blogger

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 20 Aug 2009 15:59:02 PDT

Legal ruling will force Internet search giant to reveal identify of
blogger who posted derogatory comments about Liskula Cohen.
[Source: Simon Avery, *Globe and Mail*, 20 Aug 2009]


Cannot print on Tuesdays!

phil colbourn <philcolbourn@gmail.com>
Sun, 16 Aug 2009 11:27:21 +1000

Today I came across an interesting bug mentioned on a blog. The problem was
that printing for some people failed occasionally. Later someone noted that
his Wife had been complaining that she couldn't print on Tuesdays!

In reading through the bug report people were initially claiming that it
must be an OpenOffice bug since all other applications printed fine. Others
noted that it comes and goes. One user found a solution: To remove and purge
the system of OpenOffice and re-install (any easy task on Ubuntu). He
reported on a Thursday that this fixed his printing problem.

Two weeks later he reported (on a Tuesday) that his solution did not work
after-all. Nearly 4 months later the Wife of a Ubuntu hacker complained that
OpenOffice would not print on Tuesdays. I can imagine the scenario:

Wife: Steve, the printer will not work on Tuesdays.
Steve: That's the printer's day off - Of course it will not print on Tuesdays.
Wife: No, I'm serious! I can not print from OpenOffice on Tuesdays.
Steve: (Unbelieving..) Ok... Show me.
Wife: I can't show you.
Steve: (Rolling eyes..) Why?
Wife: It's Wednesday!
Steve: (Nods. He says slowly...) Right.

The problem seemed to be tracked down to a program called 'file'. This *NIX
utility uses patterns to detect file types. eg. if the file starts with '%!'
followed by 'PS-Adobe-' then it is a PostScript file. It seems that
OpenOffice writes the date to the postscript file. On Tuesdays it takes the
form of %%CreationDate: (Tue MMM D hh:mm:...)

An error in the pattern for an Erlang JAM file meant that 'Tue' in the
PostScript file was being recognised as an Erlang JAM file and so,
presumably, it was not being sent to the printer.

The Erlang JAM file pattern is:
  4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2

It should have been
  4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2

With the large number of files types that this program attempts to match
(over 1600) it is not surprising that errors are made in the patterns, but
also the order of matching could mean that false positives are common. In
this case, an Erlang JAM file was matched before the PostScript match
occurred.

References:
http://mdzlog.alcor.net/2009/08/15/bohrbugs-openoffice-org-wont-print-on-tuesdays/

Reported as this bug:
https://bugs.edge.launchpad.net/ubuntu/+source/cupsys/+bug/255161

Later made a duplicate to this bug:
https://bugs.edge.launchpad.net/ubuntu/+source/file/+bug/248619.

http://www.blaxlandweather.com/ http://philatwarrimoo.blogspot.com


GSM's A5/1 cipher being brute forced

David Magda <dmagda@ee.ryerson.ca>
Tue, 25 Aug 2009 21:41:43 -0400

Looks like the GSM folks may want to think about upgrading to a better
algorithm:

> It will take 80 high-performance computers about three months to do
> a brute force attack on A5/1 and create a large look-up table that
> will serve as the code book, said Nohl, who announced the project at
> the Hacking at Random conference in the Netherlands 10 days ago.
>
> Using the code book, anyone could get the encryption key for any GSM
> call, SMS message, or other communication encrypted with A5/1 and
> listen to the call or read the data in the clear.  [...]
> Carriers should upgrade the encryption or move voice services to 3G,
> which has much stronger encryption, [Karsten] Nohl said.

http://news.cnet.com/8301-27080_3-10316812-245.html

Is there any reason why future mobile standards shouldn't just use AES?

Given that most governments can tap phone calls for lawful purposes once the
signal hits the tower, what possible use would there be to having a weak
cipher for radio transmissions?


The Pirate Bay Returns With Guns Blazing

<jidanni@jidanni.org>
Thu, 27 Aug 2009 01:10:45 +0800

When The Pirate Bay was shut down by the authorities yesterday many believed
that this was the end for the Internet's largest BitTorrent tracker.

A mere three hours after it went offline the site reappeared from a
different location.

The Pirate Bay team released the following statement, adapted from
Churchill's famous "We Shall Fight On the Beaches" speech.

"We have, ourselves, full confidence that if all do their duty, if nothing
is neglected, and if the best arrangements are made, as they are being made,
we shall prove ourselves once more able to defend our Internets..."

http://torrentfreak.com/the-pirate-bay-returns-with-guns-blazing-090825/


Bad questions for account retrieval

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 20 Aug 2009 19:31:02 -0400

A recent study [1] showed that the "security questions" used for recovering
account access tend to be easily guessable, even by strangers, and the
answers are almost as frequently forgotten by the account owner.  As pointed
out in that article, it's important in choosing questions that they have
relatively unchanging answers, or else customers will be unable to recall
the answer a year or two down the road when they're needed.  That's of
course why questions like birthplace and mother's maiden name are "good"
from the memory perspective, even though they're bad from the security
perspective.

So the other day I was helping my son apply for a student credit card at
Citibank, and was somewhat amused that the following were the *only*
questions allowed (I think you had to have answers to three of them):

(A) Best friend's last name
(B) Pet's name
(C) Favorite teacher's last name
(D) Last 4 digits of friend/relative phone #
(E) Other

(A) might be mined from Facebook or a similar page (a large fraction of
people will probably list their spouse's name!), if it's not their spouse,
for many people this will change over time. (*) [1] notes that "best
childhood friend" is frequently forgotten and fairly easily guessed; "best
friend" is both easily guessed and subject to change.  As noted in [1], (B)
is easily guessed (although less likely to change than (A)).  (C) is likely
to change over time.  (D) has the disadvantages of the person changing, as
well as choosing which phone number (cell/home/work); also many of the
college students who are the target of this application don't know their
friends' phone numbers since they're all programmed into cell phone memory.
And their implementation of (E) doesn't allow you to put in a hint, but the
answer is limited to 10 characters.

The risk?  In the move to trying to improve the security of backup
questions, even big companies can miss the point....

[1] "It's no secret: Measuring the security and reliability of
authentication via 'secret' questions", Stuart Schechter, A.J. Bernheim
Brush, and Serge Egelman, 2009 IEEE Symposium on Research in Security and
Privacy, http://research.microsoft.com/apps/pubs/default.aspx?id=79594

(*) For some people, the spouse's name will also change over time, but
    that's outside the scope of this note.


Take only pictures *we* like

"David Lesher" <wb8foz@panix.com>
Sun, 23 Aug 2009 15:14:51 -0400 (EDT)

Ever vigilant against terrorism, the LAPD gets specific instructions:

<http://online.wsj.com/public/resources/documents/mccarecommendation-06132008.pdf>

  A Suspicious Activity Report (SAR) is a report used to document any
  reported or observed activity, or any criminal act or attempted
  criminal act, which an officer believes may reveal a nexus to foreign
  or domestic terrorism. The information reported in a SAR may be the
  result of observations or investigations by police officers, or may be
  reported to them by private parties. Incidents which shall be reported
  on a SAR are as follows: [...]

    Takes pictures or video footage (with no apparent aesthetic value, i.e.,
    camera angles, security equipment, security personnel, traffic lights,
    building entrances, etc.).

There are so many fallacies here I don't know where to start.

a) People taking pictures is a terrorism problem. Well, sure, but so is
driving on freeways, and buying BBQ grill fuel, and....

b) But only *some* takers may be terrorists. Jack and Jill Instamatic,
suspect; All Kinda Productions, of course not -- terrorists can't be part of
our economic base. [Err... What BETTER way to hide an attack then fake up a
movie over same, and hire off-duty cops for security?]

c) LAPD's finest's esthetic value judgment is up to the task of
differentiating between terrorism and turkeys. Err, I've seen their HQ
building; and besides, not even the Hollywood power barons manage that task
well - witness this summer's flops such as GI Joe.

d) But NO DOUBT, the database from those SAR's shall be used both to
harass/arrest Jack & Jill's associates, and the fact that data came from a
computer renders it irreproachable. Garbage In, Garbage Out *still* does no
good and much ill.


Re: Kentucky election fraud indictments (RISKS-25.76)

Drew Dean <ddean@csl.sri.com>
Mon, 17 Aug 2009 11:54:48 -0700

On Aug 15, 2009, at 3:26 PM, RISKS List Owner wrote:

> In the November 2009 election in Kentucky, there was a serious discrepancy
         ^^^^^^^  ^^^^

I must say, electronic voting systems have become quite advanced if
they can commit fraud in future elections! :-)

  [My goof.  The indictment actually covered the 2002, 2004, and 2006
  elections. Ray Gardner noted that the elections affected by the ES&S user
  interface exploit were just 2004 and 2006. The county didn't get those
  machines until 2003. The 2002 fraud was apparently of another sort.
  And I am neither prescient nor postscient.  PGN]


Stephen Albin. The Art of Software Architecture

David Schneider <pd@hq.acm.org>
Thu, 20 Aug 2009 13:03:42 -0400

Stephen Albin
The Art of Software Architecture: Design Methods and Techniques
August 2009 ACM Featured Online Book for Professional Members

The ACM Featured Online Book Program focuses on books in the ACM Collection
that are highly used and highly reviewed. A different book will be featured
in each newsletter. This issue features a title from our Books24x7
collection.

Stephen Albin. The Art of Software Architecture: Design Methods and Techniques

This book synthesizes and distills information so that the practicing
software architect, and especially the beginning software architect, can
fill in the gaps in their understanding of software architecture design.
This innovative book uncovers all the steps readers should follow in order
to build successful software and systems. With the help of numerous
examples, Albin clearly shows how to incorporate Java, XML, SOAP, ebXML, and
BizTalk when designing true distributed business systems. The book not only
teaches how to easily integrate design patterns into software design, but
also documents all architectures in UML and presents code in either Java or
C++.

Bernard Kuc of Computing Reviews said "Albin presents extensive coverage of
the current state of the art in software architecture. Throughout the book,
he remains focused on software architecture. He does not give in to the
temptation of going deeper into software engineering and design, an area
already well covered elsewhere, and hence achieves coverage of a wide
breadth of material in relatively few pages."

One Amazon reviewer, who rated the book 5 stars, said the book as "This book
uses real world examples and practical advice coupled with academic rigor.
It provided tremendously helpful insights into how I can improve the efforts
of my team."

Feedback:

We are always looking for feedback and recommendations on our book offerings.
If you know of a book you would like ACM to consider offering, please email
 me at Schneider@hq.acm.org.

David Schneider, Education Manager, Association for Computing Machinery

Please report problems with the web pages to the maintainer