The RISKS Digest
Volume 25 Issue 84

Wednesday, 25th November 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Apostrophe in Your Name? You Can't Fly!
Chris J Brady
NY area bank claws back over 50,000 pension payments
Danny Burstein
Hacking ring steals $9 million from ATMs globally
Gadi Evron
Teleportation via Skyhook
Jerry Leichter
Warren Buffett cell phone skills: did they doom Lehman?
Two Are Charged With Helping Madoff Falsify Records
Robert Schaefer
Brevity of text message leads to rumor of death
Mark Brader
Nasty iPhone Worm Hints at the Future
Robert Lemos via Jim Schindler
Australian Emergency operator hangs up; no street address
Darryl Smith
"Your smart meter is watching"
Cavoukian-Polonetsky via David Magda
Failure begets failure?
At Checkout, More Ways to Avoid Cash or Plastic
Matthew Kruk
Mafia Wars CEO Brags About Scamming Users From Day One
Matthew Kruk
NY State Proposing Laws to Restrict Trucker Use of GPS
Re: Jimmy Carter era" computer causes traffic jams
Re: Drivers ticketed for not speaking English
Jerry Leichter
REVIEW: "Security and Usability", Lorrie Faith Cranor/Simson Garfinkel
Rob Slade
Info on RISKS (comp.risks)

Apostrophe in Your Name? You Can't Fly!

Chris J Brady <>
Tue, 10 Nov 2009 14:36:56 -0800 (PST)

This is the stuff of nightmares - not to mention enormous frustration and
possible stomach ulcers. If you have an apostrophe in your name - like many
of Irish descent do - you may find it impossible to board an airplane in the
coming months. Why? Because airline computers can't print an apostrophe on
the boarding pass, the name on your boarding pass will not exactly match the
name on your driver's license or passport. And beginning next year, the two
must match or you don't fly. And they call this progress. CJB.

NY area bank claws back over 50,000 pension payments

danny burstein <>
Sat, 7 Nov 2009 07:39:26 -0500 (EST)

- the bank paid the money, then grabbed it back from the accounts. Just like
we've all been promised would never, ever, happen...

[UFT press release]

  Bank error to blame for withdrawn pension payments

  Some 53,000 UFT retirees who rely on electronic pension payments had funds
  involuntarily withdrawn from their accounts on Nov. 6, causing all sorts
  of grief for those counting on the money. The Bank of New York Mellon,
  which is the transferring agent for the funds, erroneously reversed the
  October benefits payments to retirees paid through electronic fund

  "We're outraged. This is unacceptable," said UFT President Michael
  Mulgrew. "We have been on top of this since the calls first started coming
  in early Friday morning and we will continue to work until all of our
  members have been made whole.  Our first priority is to get all of the
  money back into our members' accounts."

The risks of this happening have been thrashed out before. What disturbs me
even more here is that the recipient banks simply allowed this wholesale

Given the dangers of someone even less scrupulous then this player doing,
well, the exact same thing... one would have hoped that part of the banking
security profiles on ACH transfers would include "circuit breakers" which
would get tripped on any demand of this many accounts.

Hacking ring steals $9 million from ATMs globally

Gadi Evron <>
Thu, 19 Nov 2009 12:55:57 +0200

According to an FBI press release, a global ring of hackers broke into an
unnamed American credit processing company, stole PIN numbers, manipulated
accounts, and proceeded to steal 9 million USD from over 2000 ATM machines
world-wide.  (They have just been brought to justice.)

Teleportation via Skyhook

Jerry Leichter <>
Sun, 22 Nov 2009 22:31:08 -0500

I commute into Manhattan, which suffers from frequent traffic problems.
I've been using a combination of technologies to help out: An cell-phone
system based modem, one of the little portable WiFi hotspots that will talk
to it (so that I have a hotspot in my car), and the iPod Touch map
application, which shows Google's maps along with traffic conditions.

Now, the Touch doesn't have a GPS and doesn't talk to cell towers; but it
does quite well using technology from a company called Skyhook Wireless.
Skyhook builds a database of WiFi networks, and if you're in an area where
you can "see" one or more WiFi networks, it can locate you with surprising
accuracy.  It does make mistakes every once in a while, when very few WiFi
signals are visible nearby.  This may result in the map jumping around a bit
until more data is available.

One day, as I was driving along the west side of Manhattan, the map suddenly
changed.  A quick glance showed it to be entirely unfamiliar.  Since I was
stopped at a red light, I was able to stare at the map.  Surprise!  My Touch
thought I had instantly teleported across the Atlantic, and was driving
along the Mediterranean coast, not far from Monte Carlo.

A look around me gave a hint to the cause of the problem.  I was right next
to a large cruise ship.  Obvious guess: Such ships provide WiFi services.
This one probably happened to be visiting near Monte Carlo when it made it
into Skyhook's database.  Sure enough, when I had driven a couple of blocks,
the map suddenly shifted back to Manhattan.

A friend and I had previously joked about the confusion that would result if
I happened to be driving, with my in-car hotspot, just behind a Skyhook
mapping van.  Well ... it looks as if truth can be stranger than fiction!

Warren Buffett cell phone skills: did they doom Lehman?

Sun, 15 Nov 2009 13:29:56 +0800

If Buffett only knew how to retrieve his cell phone messages, the banking
crisis might have been averted. True or false?,people,news,warren-buffett-the-unheard-voice-mail-that-could-have-saved-lehman-brothers

Did Warren Buffett's Inability to Check Voice Mail Cause the Recession?

If Only Warren Buffett Knew How to Work His Cellphone...

Warren Buffett Cell Phone Skills: Did They Doom Lehman?

Robert Schaefer <>
Fri, 13 Nov 2009 12:46:44 -0500
Subject: Two Are Charged With Helping Madoff Falsify Records

Two computer programmers who worked for Bernard L. Madoff's investment firm
were accused Friday of helping to cover-up the giant Ponzi scheme.  for more
than for more than 15 years."  [*The New York Times*, 13 Nov 2009]

Brevity of text message leads to rumor of death

Mark Brader
Fri, 13 Nov 2009 17:15:22 -0500 (EST)

Canadian cabinet minister John Baird texted a friend to say that his cat had
died.  But it was thought he meant Margaret Thatcher, who the cat was named

  [And twitter was the cat's bird friend?  PGN]

Nasty iPhone Worm Hints at the Future (Robert Lemos)

Jim Schindler <>
Tue, 24 Nov 2009 22:44:05 -0800

Robert Lemos, *Technology Review*, 25 Nov 2009
As smart phones become smarter, malicious code will find a friendlier home.

As mobile phones get more powerful, the threat of serious attacks against
such devices increases, security experts warn. This week, cybercriminals
moved closer to proving this point--exploiting a weakness in modified
iPhones to spread a worm programmed to steal banking information. Some
experts say the worm may be a sign that criminals are getting more savvy
about hacking mobile devices.

Last Saturday, researchers at several security firms reported that the new
worm, dubbed "Ikee.B" or "Duh," spreads using the default password for an
application that can be installed on modified versions of the iPhone. Once
the device has been compromised, the worm grabs text messages, and searches
for banking authorization codes used by at least one bank, before sending
the codes to a central server. Earlier this month, another iPhone worm was
released. It exploited the same password weakness to spread itself, but did
not try to steal personal information.

"The banking [attack] is new to mobile devices," says Chet Wisniewski, a
senior security advisor at antivirus firm Sophos. "It goes through your
phone, grabbing all your text messages, and sends them off to a server in

Since the attack affects only the small number of iPhones that have been
"jail broken"--modified to run nonapproved software--the worm will likely
inconvenience only a few people. Yet some researchers say the worm confirms
that attacks against mobile users are evolving, and that cybercriminals are
targeting the personal and financial information kept on portable devices.
The ability to communicate with a central command-and-control server--a
characteristic more commonly associated with hijacked PCs--also makes such
software more dangerous.

This past summer, at the Black Hat Security Briefings conference in Las
Vegas, Charlie Miller, a consultant with Independent Security Evaluators,
demonstrated a way to remotely attack iPhones using the short message
service (SMS) protocol<>.
Miller says it's only a matter of time before cybercriminals find a way to
infect phones that haven't been jail broken, vastly increasing the potential
scale of an infection. "A [more serious] worm against an iPhone or any other
mobile device is going to happen," Miller says. "It is going to happen to
[Google's] Android and iPhone and everything else. As more bad guys do
research into the mobile platforms, these devices are going to get

The evolution of the Ikee.B or Duh worm can be traced back to early attacks
against mobile devices. In 2000, Timofonica, a relatively simple virus that
spread between desktop computers and servers, also had the ability to spam
mobile phones in Spain with text messages. In 2004, Cabir, the first
mobile-phone-only worm, was released. Cabir could jump automatically between
Nokia handsets.

In 2006, researchers at the University of Toronto and Microsoft confirmed
that even short-ranged and short-lived Bluetooth connections between phones
could, in theory, be used to spread a wireless worm. "Starting a Bluetooth
worm outbreak is relatively easy once a vulnerability is found. An attacker
can bring an infected device into a typical urban mall and discover many
potential victims," the researchers wrote in a related paper.

The iPhone, and other smart phones, are a more attractive target for
hackers because they resemble mini PCs. The devices are always connected to
the Internet, run third-party applications, and store information that is
potentially valuable to cybercriminals.

Normally, however, exploiting the iPhone is not that easy. The new worm
employed a weakness introduced by an application called OpenSSH that can be
used to connect to the phone remotely. This application uses the default
password "alpine," and the worm used this default password to wriggle
between handsets.

"This is trivial--there is no shell code, no buffer overflow, nothing,"
says Miller. "It took me two weeks to write the [code] for the SMS thing,
but I could have written [Ikee.B] in, like, five minutes."

The attacks that have targeted the iPhone in the last month have also
focused on jail-broken devices. The modification process to jail break a
phone removes the code that prevents users from loading whatever
applications they want, but also removes much of the security that prevents
malicious code from running on the device. "The iPhone has all these layers
of defense, but when you jail break your phone, you break every single one
of them," Miller says.

The evolution of such hacking will continue, Miller says, although the
current crop of iPhone attack code has a long way to go. The new worm does
little to hide its activity, for example. And, by sending data over wireless
networks, as well as aggressively attempting to infect other phones, the
worm also quickly runs down the compromised phone's battery.

"Because the phone is trying to connect all the time, users that get
infected with this thing are going to know," says Sophos' Wisniewski.

Australian Emergency operator hangs up; no street address.

"Darryl Smith" <>
Thu, 26 Nov 2009 10:30:06 +1100

From the *Sydney Morning Herald*, 26 Nov 2009

A man called the emergency line from a remote property near Boomi in far
northern NSW. An operator ended the call because Mr Jamieson could not
provide a street number. "They said they wanted a house number. I said
there's no house number." When what road his property was on, he responded
"The Boomi-Goondiwindi Road, they couldn't find Goondiwindi on a map because
... it's in Queensland". An ambulance eventually arrived after he contacted
a business next door to the Goondiwindi ambulance service in the next state.

This comes after a 17-year-old became separated from his two classmates on
Mount Solitary during a three-day trek in 2006 and died. The inquest found
three triple-0 operators bungled a series of calls for help he made to them
because they did not have a street address of the rugged bushland.

Darryl Smith, VK2TDS POBox 169 Ingleburn NSW 2565 Australia
Mobile Number 0412 929 634 [+61 4 12 929 634 Int] - 02 9618 645 -

  [Another problem well known to RISKS readers.  PGN]

"Your smart meter is watching"

David Magda <>
Tue, 17 Nov 2009 18:25:42 -0500

Ann Cavoukian (Privacy Commissioner of Ontario) and Jules Polonetsky:

> We must take great care not to sacrifice consumer privacy amid an
> atmosphere of unbridled enthusiasm for electricity reform. But we need not
> forfeit one for the other in a zero-sum manner; we can adopt a
> positive-sum approach, where both interests may prevail.  Information
> proliferation, lax controls and insufficient oversight of this information
> could lead to unprecedented invasions of consumer privacy. Intimate
> details of individual hydro customers' habits, from when they eat, when
> they shower, to when they go to bed, plus such security issues as whether
> they have an alarm system engaged, could all be discerned by the data,
> automatically fed by appliances and other devices, to the companies
> providing electric power to our homes.

They have also released a white paper entitled "SmartPrivacy for the Smart
Grid: Embedding Privacy into the Design of Electricity Conservation"
detailing the issue:

Aahz <>
Sat, 21 Nov 2009 11:32:05 -0800
Subject: Failure begets failure?

I've been having a number of problems with the Hyatt hotel chain lately, and
I'm excerpting the bits that I think would be of interest to RISKS readers
(mostly the ones that represent failure in communication and computer use),
none of which is particularly surprising, although having the entire
sequence is somewhat surprising to me.

What I'm curious about, particularly from a RISKS perspective, is the
likelihood that any given customer having experienced problems with an
organization makes it more likely that the same customer will experience
additional problems.  Anyone know of research in this area?  This is related
to e.g. problems in aviation and computer servers — how likely are
cascading failures?  Can/should we use the first failure as a harbinger of
future failures?

I mean, although my experiences with Hyatt are such that calling them
incompetent would be high praise, they clearly can't be causing this many
problems for other customers or they'd be out of business.

Here's the redacted list:

* Failing to provide free Internet at Hyatt Santa Clara (California) despite
group contract specifying it (5/2008)

* Refusing to refund a damage deposit until I dispute the charge with my
credit card company (Hyatt Santa Clara, 5/2009 - 7/2009)

The next series of incidents started when the Hyatt Summerfield Suites in
Belmont, California was unable to give us a room because some other guests
trashed their rooms; the Summerfield sent us to the Hyatt SFO.

* Informing me only by telephone about the new arrangement despite making
the reservation on-line (although this is par for the course for pretty much
all idiot companies) — I'm hearing-impaired, so this issue is particularly
important to me, but I know plenty of people who hate using the phone

* Although this is supposed to be a free room with breakfast (to compensate
for switching hotels), they charge my credit card for parking, Internet, and
room service ($60!)

* They later reverse the charge without informing me; I only notice this on
my credit card bill

* Changing the name on my Hyatt account without asking me

* When I complain about the name change, they claim that they have no record
of a name-change on my account (they are obviously either lying or
incompetent because they sent me an automated e-mail when my name was

In addition, the Hyatt web site uses HTTP for account login instead of
HTTPS/SSL, so they clearly don't care about security.

Aahz (

At Checkout, More Ways to Avoid Cash or Plastic

"Matthew Kruk" <>
Mon, 16 Nov 2009 23:36:59 -0700

Claire Cain Miller, At Checkout, More Ways to Avoid Cash or Plastic,
*The New York Times*, 16 Nov 2009

For almost as long as Americans have been hearing about jetpacks and
picturephones, they have been hearing that money - bills, coins and plastic
cards - might cease to exist, or at least become a novelty.

Instead of leather wallets, consumers could, sooner than they think, carry
virtual wallets, with their credit card and bank information stored on
remote computers that are accessible everywhere and anytime.  They could use
them whenever they want to buy something, whether on the Web, on cellphones
or at cash registers.

With a new cellphone application called ShopSavvy, for instance, a shopper
can use the phone's camera to scan an item's bar code in a store to see if
it is available for less online. If so, the shopper can buy it with one
click if they have already entered their credit card and shipping
information on PayPal's Web site.

"What we're trying to do and what we think is very important is to displace
the use of cash or checks," said Scott Thompson, president of PayPal, which
is a leader in digitizing money. "We'll just have one wallet, and it lives
in the cloud." ...

There's more ...  makes me very uneasy.  Electronic pickpockets have perked
up their ears ...

  [And if you ask for the manager, the checker is likely to say,
  "The Head's in the Clouds" or perhaps "The Cloud is in the Head."  PGN]

Mafia Wars CEO Brags About Scamming Users From Day One

"Matthew Kruk" <>
Mon, 16 Nov 2009 23:31:12 -0700

"From the beginning, the profitability and viability of popular Facebook
social networking games Mafia Wars and Farmville were predicated on the
backs of scams, boasts Zynga CEO Mark Pincus in this video. "I did every
horrible thing in the book just to get revenues," he crows in the clip to a
gathered bunch of fellow scumbag app developers." ...

NY State Proposing Laws to Restrict Trucker Use of GPS

Sun, 15 Nov 2009 04:22:17 +0800

AP item, 14 Oct, 2009: New York State wants to crack down on truckers who
rely on satellite devices to direct them onto faster but prohibited routes
and end up crashing into overpasses that are too low for their rigs.
Gov. David Paterson proposed penalties including jail time and confiscation
of trucks to come down on drivers who use GPS - global positioning systems -
to take more hazardous routes and end up striking bridges.

Re: Jimmy Carter era" computer causes traffic jams (RISKS-25.83)

"JosephKK" <>
Sun, 15 Nov 2009 18:25:54 -0800

> Troubleshooting requires lots of training and intuition, not something
> you can pick up from a book...

Like hell.  I started in computers in 1971 and only a few antiques
took more than four shelves in a 36 inch cabinet for the CPU proper.
By 1974 the whole thing including I/O adapter was below 22" by 22" by
48" and did about 1 32bit (VAX) mips.  Moreover these were military
ruggedized types.  And the training required was weeks.
Straightforward as hell.  And the basic implementation was bit slice
to boot.  For that matter so was the previous generation, just not
quite so obviously. Ref (CP1303/AN-UYK7 {32bit} and CP-642B/AN-UYK4
{30 bit})

Re: Drivers ticketed for not speaking English (Jiminez, R 25 83)

Jerry Leichter <>
Sun, 22 Nov 2009 23:25:39 -0500

In RISKS-25.83, Frank Jimenez reports on that the Dallas Police Department
has issued at least 38 tickets citing drivers for an inability to speak
English.  There is, in fact, no such requirement - except for commercial
drivers.  Jimenez concludes: "The risk here is the ability to choose an
option from a drop-down box that doesn't actually apply to a particular law
enforcement situation."

Is it really?  Do we really want a computer system involved in deciding
whether a particular law is applicable in a given situation or not?  We're
not talking about some simple UI to a billing program where it's trivial to
determine which options make sense.

Police are expected to understand the law.  It's part of the job
description.  They are human and humans make mistakes; that's why we have
courts and appeals courts beyond them.  But a policeman who doesn't get the
law right in the vast majority of situations shouldn't be wearing a badge.

Paper tickets include space for many possible violations, only a few of
which may be relevant in any given circumstance.  Based on all history of
computerization as we'e seen it here, do we really think that replacing that
piece of paper with a "smart" program that somehow decides with violations
are relevant will improve things?  Or is it more likely to lead to a spate
of other stories in which police are unable to issue tickets because the
computer fails to bring up the right option; or, even worse, are led to
ignore their own knowledge and judgement and charge things incorrectly
because "the computer said this was the right charge"?

REVIEW: "Security and Usability", Lorrie Faith Cranor/Simson Garfinkel

Rob Slade <>
Tue, 17 Nov 2009 14:06:04 -0800

BKSECUSA.RVW   20090727

"Security and Usability", Lorrie Faith Cranor/Simson Garfinkel, 2005,
0-596-00827-9, U$44.95/C$62.95
%E   Lorrie Faith Cranor
%E   Simson Garfinkel
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00827-9
%I   O'Reilly & Associates, Inc.
%O   U$44.95/C$62.95 800-998-9938 fax: 707-829-0104
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   714 p.
%T   "Security and Usability"

The editors state that they intended this collection of essays more to
address the academic, than the practical, side of the security field.  Thus,
the papers are chosen to reflect theory and principle, rather than specific
practice.  A prudent choice, since theory dates less quickly than specific

The thirty-four compositions in this work are divided into six sections.
Part one states that security and usability are not antithetical, part two
addresses authentication mechanisms and techniques, part three examines how
system software can contribute to security, part four deals with privacy
controls, part five examines the vendor perspective of provision of
security, while part six finishes off the book with a few papers considered
to be of lasting value.

The papers contain interesting points, but sometimes both theoretical and
practical utility are lacking.  For example the first paper, entitled
"Psychological Acceptability Revisited," challenges the idea that security
mechanisms must be complex and difficult to use in order to be effective.
Unfortunately, while the author clearly demonstrates that a system can be
both insecure and useless, he does not prove the opposite, which is the
condition we want.  A good many papers simply state that human factors
should be considered, and that security provisions should be usable: these
points are true, but not helpful.  With one exception (a good paper on
password choice) all the pieces on authentication present research having
nothing to do with usability.  Most of the papers in the book describe
security research that is interesting, and which frequently has relations
with human factors, but the relevance to the provision of systems that are
both usable and secure is not often clear.

Even as a compilation of security bedtime reading, the essays collected in
this volume are somewhat lacking.  In terms of both principles and practice,
any volume of the "Information Security Management Handbook"
(cf. BKINSCMH.RVW) has superior selection, and better structure, as well.

copyright Robert M. Slade, 2009

Please report problems with the web pages to the maintainer