The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 97

Friday 26 March 2010

Contents

Unmanned goods train crash in Norway
Martyn Thomas
NRC to VA: you endangered patients, you owe us $227k
Danny Burstein
FBI Faces New Setback in Computer Overhaul
Eric Lichtblau via David Lesher
IRS systems can't be trusted
Randall Webmail
Risks to the power grid
Gary McGraw
Pwn2Own 2010: iPhone hacked, SMS database hijacked
Ryab Naraine via Monty Solomon
Warnings about Wifi-enabled air travel
David Strom via Gabe Gold
Cops inadvertently harass couple: real address used as test data
Mark Brader
Police raid wrong address 50+ times
David Lesher
UK SAS base "exposed" through Google Streetview
Peter Baker
Netflix Data Deanonymized
Bob Gezelter
Hacked "miss a payment, brick your car" system
Jeremy Epstein
Colombian vote count delayed
PGN
Surveillance via bogus SSL certificates
Matt Blaze
More on School Webcam Scandal
Gene Wirchenko
Couldn't logout from Facebook Mobile
jidanni
Re: Old models of PS3 failed to connect to network
DoN Nichols
Info on RISKS (comp.risks)

Unmanned goods train crash in Norway

Martyn Thomas <martyn@thomas-associates.co.uk>
Wed, 24 Mar 2010 15:15:27 +0000

Several railway cars in a 16-car train broke loose, sped at 100km/h,
derailed, smashed into a building, killed three people, injured three
others, and wound up in a fjord.
  http://news.bbc.co.uk/1/hi/world/europe/8585315.stm


NRC to VA: you endangered patients, you owe us $227k

danny burstein <dannyb@panix.com>
Thu, 18 Mar 2010 11:55:34 -0400 (EDT)

The Nuclear Regulatory Commission has proposed a $227,500 fine against the
Department of Veterans Affairs (DVA) for violations of NRC regulations
associated with an unprecedented number of medical errors identified at the
Veterans Affairs Medical Center in Philadelphia (VA Philadelphia).  Medical
errors at VA Philadelphia involved the incorrect placement of iodine-125
seeds to treat prostate cancer. Out of 116 procedures performed between 2002
and 2008, 97 were executed incorrectly. ...  [NRC press release]

http://www.nrc.gov/reading-rm/doc-collections/news/2010/10-005.iii.html

  [I'm not entirely comfortable with their use of the term "executed" in
  this context...]


FBI Faces New Setback in Computer Overhaul (Eric Lichtblau)

David Lesher <wb8foz@panix.com>
Fri, 19 Mar 2010 09:20:50 -0400

[Source: Eric Lichtblau, *The New York Times*, 18 Mar 2010]
http://www.nytimes.com/2010/03/19/us/19fbi.html?hp=&pagewanted=print

The Federal Bureau of Investigation has suspended work on parts of its huge
computer overhaul, dealing the agency the latest costly setback in a
decade-long effort to develop a modernized information system to combat
crime and terrorism.  The overhaul was supposed to be completed this fall,
but now will not be done until next year at the earliest. The delay could
mean at least $30 million in cost overruns on a project considered vital to
national security, Congressional officials said.  FBI officials said that
design changes and "minor" technical problems prompted the suspension of
parts of the third and fourth phases of the work, which is intended to allow
agents to better navigate investigative files, search databases and
communicate with one another.  The decision to suspend work on the $305
million program is particularly striking because the current contractor,
Lockheed Martin, was announced to great fanfare in 2006 after the collapse
of an earlier incarnation of the project with the Science Applications
International Corporation.

  So after both classified and unclassified reviews, Congressional scrutiny,
  and "we'll do better next time" promises...

  Esther Dyson: “Always make new mistakes.”


IRS systems can't be trusted

Randall Webmail <rvh40@insightbb.com>
March 23, 2010 5:41:53 PM EDT

According to a new Government Accountability Office report, the Internal
Revenue Service has failed to fix almost 70 percent of control weaknesses
and program deficiencies identified a year ago.  The report concludes that
the IRS's failure to use strong passwords, install patches quickly, and
adequately control access to computer systems and information makes the
system vulnerable to insider threats and attacks from outside.
  http://news.cnet.com/8301-27080_3-20000987-245.html?part=rss&subj=news&tag=2547-1_3-0-20
  http://tinyurl.com/yapnjb2


Risks to the power grid

Gary McGraw <gem@cigital.com>
Fri, 26 Mar 2010 08:18:56 -0400

We have known for years that the power grid system is a fragile engineering
kludge.  Adopting Internet technology to bring it kicking and screaming into
this Millennium may not help.  Some of the RISKS described in

A keynote talk I gave for the NRECA (video)
http://www.cigital.com/justiceleague/2010/03/22/smart-grid-equals-dumb-security/

My colleague Sammy's talk
http://www.cigital.com/justiceleague/2010/03/24/at-the-nreca-conference/

An informIT article I just wrote about the subject:

The Smart (Electric) Grid and Dumb Cybersecurity
http://www.informit.com/articles/article.aspx?p=1577441

http://www.cigital.com/~gem


Pwn2Own 2010: iPhone hacked, SMS database hijacked (Ryan Naraine)

Monty Solomon <monty@roscom.com>
Thu, 25 Mar 2010 23:25:39 -0400

A pair of European researchers used the spotlight of the CanSecWest Pwn2Own
hacking contest [in about two weeks] to break into a fully patched iPhone
and hijack the entire SMS database, including text messages that had already
been deleted.  Using an exploit against a previously unknown vulnerability,
the duo -- Vincenzo Iozzo (Zynamics) and Ralf Philipp Weinmann (University
of Luxembourg) -- lured the target iPhone to a rigged Web site and
exfiltrated the SMS database in about 20 seconds.  The exploit crashed the
iPhone's browser session, but Weinmann said that, with some additional
effort, he could have a successful attack with the browser running.
"Basically, every page that the user visits on our [rigged] site will grab
the SMS database and upload it to a server we control," Weinmann explained.
Iozzo, who had flight problems, was not on hand to enjoy the glory of being
the first to hijack an iPhone at the Pwn2Own challenge.
[Source: Ryan Naraine, zdnet, datelined Vancouver BC, 24 Mar 2010; PGN-ed]
  http://blogs.zdnet.com/security/?p=5836


Warnings about Wifi-enabled air travel

<gabe@gabegold.com>
Mon, 15 Mar 2010 12:40:07 -0400

  -- ------ Original Message --------
  Date: 	Mon, 15 Mar 2010 08:06:49 -0500
  From: 	David Strom <david@strom.com>
  To: 	webinformant@list.webinformant.tv

Web Informant 15 March 2010: Warnings about Wifi-enabled air travel

I have been on a few planes in the past couple of weeks that are
Wifi-enabled. American has created an entirely new opportunity for identity
thieves here, and while the opportunity to surf and e-mail at 30,000 feet is
tempting, count me out for those that will become frequent users.

The problem is that most people get lost in the wonderfulness of the Web and
tend to forget that their seatmates can watch every move, see every
keystroke (it doesn't take much to follow along, especially at the speed
that many people type), and collect all sorts of information. By the end of
one flight I was on, I had Larry (not his real name) the HP sales rep's
Amazon account, read several of his e-mails, got to see his new sales
presentations that HP corporate sales office had sent him, figured out that
he was a recent hire as he was checking HP's Intranet to understand some
corporate travel policies, found out who his clients that he had just
visited were, and more.

Now, I wasn't really paying that much attention. I was tired, and just
wanted to be left by myself for the trip. And I think we exchanged maybe ten
words between us all told. But if I really wanted to do some damage, I could
be all over Larry's accounts by now (he had some nice taste from what I
could see he was looking for on Amazon, too).

Yes, people have been using laptops on planes for years. I used to do it all
the time, back when the middle seat was rarely occupied and you didn't have
to almost disrobe to get to the gate. But those days are almost as much part
of history as calling the people that worked on planes stews. The difference
is now that we have Internet piped directly to the seat, people are free to
go anywhere and everywhere, and where they go are places that are critical
to their life. I wouldn't be surprised if someone was doing their online
banking in-flight.

So people (and HP, you might want to consider this a corporate-wide
purchase) if you are going online up in the air, get a privacy filter for
your laptop so that no one else can see your screen. They cost about
$30. This isn't complex technology: it has been available almost as long as
Windows has been around. And while you are at it, dim your screens to save
on power anyway (Larry had one of those nifty power-packs to boost his
battery, too). Or better yet: don't work on anything important on a crowded
plane -- and these days, what other kinds of planes are there? Bring a
book or watch a movie if you must be immersed in your electronic cocoon.

I am reminded of a story from my early days as a reporter for PC Week, back
in the late 1980s. We were very scoop-oriented, and would always try to get
information from the vendors through all sorts of means, some of them
probably unethical or at least uncomfortable in the light of the present
day. One of our reporters was having dinner with her boyfriend (now husband)
at a quaint and cozy Cambridge Mass.  restaurant, and overhead two
businessmen at the next table gossiping about work. What was unusual was
they were speaking rapid German, and both were working for Lotus
Development, at the time a powerhouse spreadsheet player. They were in town
to discuss the company's future product plans. Trouble was, my colleague
spoke German fluently, and got a couple of scoops that were published the
next week in the paper.  No one knew who the source of the leak was.

Remember loose lips sink ships, the World War 2 posters put up by the
government? We need something similar on Wifi-enabled planes. Be careful out
there people. You never know whom you are sitting next to.


Cops inadvertently harass couple: real address used as test data

Mark Brader
Sun, 21 Mar 2010 01:42:00 -0400 (EDT)

http://www.theregister.co.uk/2010/03/19/police_raid_glitch/
  Note especially the last paragraph in this one.

In 2002 the New York Police Department was testing a new computer system and
put in "random material" as test data.  This included the real address of
Walter and Rose Martin -- which inadvertently ended up in the system as live
data.  The result was that the Martins' address appeared in police computers
as the address of a variety of crime suspects and victims; so police were
repeatedly banging on the door demanding the suspects appear, as well as
sending them mail.

In 2007 the Martins finally complained to the police commissioner, but the
problems remained unresolved.  By now the Martins are 82 and 83 years old,
police have come to their house 50 times, and the story has reached the news
media.  Both the mayor, Michael Bloomberg, and the police commissioner, Ray
Kelly, have apologized to the couple, and the problem is now supposed to
have been fixed.

http://news.bbc.co.uk/2/hi/americas/8577579.stm
http://www.nydailynews.com/news/2010/03/18/2010-03-18_six_examples_of_cops_mistakenly_visiting_elderly_brooklyn_couples_home.html
http://www.nydailynews.com/news/ny_crime/2010/03/19/2010-03-19_bloomberg_apologizes_to_couple_mistakenly_raided_by_nypd_over_50_times.html
http://www.washingtonpost.com/wp-dyn/content/article/2010/03/19/AR2010031900906.html


Police raid wrong address 50+ times

"David Lesher" <wb8foz@panix.com>
Fri, 19 Mar 2010 08:58:49 -0400 (EDT)

[Also noted here:]
http://www.nypost.com/p/news/local/brooklyn/computer_glitch_blamed_home_years_mHUCrXCM8vhEyVGJolFIPK

Maybe they need a special doorbell "For police raids..."

Once again, the lack of sanity checks at multiple levels rears its head.

a) Did each raid have a valid warrant? If so, who obtained the warrants?
   Who signed the affidavits? What judge approved them? [Is this process
   just rubber-stamps?]

b) After fifty raids, the NYPD has not yet figured out it is worth a
   moment's thought before kicking their way in?

  [Harald Hanche-Olsen added: New York's police chief has delivered a
  cheesecake to an elderly couple in Brooklyn, to apologise for dozens of
  mistaken police visits to their home.  PGN]
    http://news.bbc.co.uk/2/hi/americas/8577579.stm


UK SAS base "exposed" through Google Streetview

Peter Baker <peter.baker@safe-mail.net>
Sat, 20 Mar 2010 14:18:33 +0100

A UK newspaper reports "fury" as Google Streetview was found to display
detailed pictures of the SAS headquarters
<http://www.dailymail.co.uk/news/article-1259162/Google-Street-View-shows-secret-SAS-base-major-security-breach.html>.

I would personally wonder about perimeter security if a vehicle that is very
obviously taking pictures can drive past without a discussion with either
the driver in question or the organisation behind it.  However, it made me
curious if that other "off the map" place was featured, and yes, ECHELON is
available in Streetview too <http://bit.ly/GoogleEchelon> (well, for the
moment).  The RISK is obvious: if you don't want your perimeter in the news,
patrol it.  If you want to remove such pictures, have a *quiet* word or
expect the Streisand effect to strike with a vengeance.

It wasn't Google Streetview exposing the base, it was the resulting
publicity.  Duh..


Netflix Data Deanonymized

Bob Gezelter <gezelter@rlgsc.com>
Sun, 14 Mar 2010 11:30:50 -0500

The movies you rent may tell a lot about you, perhaps more than you may
want. This collation hazard, collating anonymized data with other data to
de-anonymize the data has serious implications. This hazard was noted in
RISKS many years ago, with regards to pharmacy data (which was not
protected) and medical files (which were protected) [to Editor: I do not
have the reference at hand, it may be pre-online RISKS, perhaps you recall
when?]

In The New York Times Bits blog, Steve Lohr published an article noting the
latest round of the Netflix competition has been canceled. [see
http://bits.blogs.nytimes.com/2010/03/12/netflix-cancels-contest-plans-and-settles-suit/]

Apparently, researchers at the University of Texas were able to unmask the
data. [see http://arxiv.org/PS_cache/cs/pdf/0610/0610105v2.pdf].

This is only the latest in a series of episodes involving "collation", a
hazard that was included in "Security on the Internet" (Chapter 23, Computer
Security Handbook (1995), section 23.4, pp 23-6) and its 2002 sequel
(outline available at
http://www.computersecurityhandbook.com/csh4/chapter22.html).

The mass adoption of micro-blogging and applications that reveal ones
physical location only make this hazard more severe. I daresay this will not
be the last we see of anonymized data becoming uncloaked through collation.

- Bob Gezelter, http://www.rlgsc.com


Hacked "miss a payment, brick your car" system

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 17 Mar 2010 19:16:24 -0400

A vendor offers a black box system that will remotely disable a car's
ignition or start the horn honking, to allow easy recovery if the owner
doesn't make the car payments.  A laid-off auto dealership worker took
advantage of the system and got his revenge for being laid off by logging
into the system using a (former) co-worker's credentials, and going through
one-by-one and disabling all of the cars sold by his former employer
equipped with the device.  The vendor of the remote control device says this
is the first time it's ever happened.  (I'd guess it's not the last!)

The Risk?  Any time you have a remote control device, you've opened a new
attack surface.  While this attack was essentially an insider (since the
person knew a co-worker's password), what's the odds that someone can guess
passwords, or find them posted on monitors in the car dealership, or find a
vulnerability in the web application, or ....  There are also potential
attacks going directly against the devices, completely bypassing the
web-based control system.

I'd bet that the dealerships were assured the system is completely
secure, because it uses SSL.

http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/

  [Also noted by Steven J Klein, and Steve Summit, who commented: The Risks?
  The usual: An unsuspected, perhaps too-powerful system, which although it
  had some safeguards, perhaps didn't have enough...  David Lesher noted a
  UPI item, and remarked: Gee, shades of the Greek Wiretapping Saga, and
  multiple other cases.  When you build Big Brother in, you can expect
  misuse.  PGN]


Colombian vote count delayed

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 17 Mar 2010 18:02:02 PDT

Unidentified attackers reportedly struck the computerized system used to
transmit voting data in Colombia's legislative elections, disrupting the
vote count just as the polls closed and continuing.  Three days after the
polls, final results still had not been released.  (AFP, 17 Mar 2010)
http://www.google.com/hostednews/afp/article/ALeqM5iqkjRi-yQWVJ6Dp3CcsKr8k9AQEw


Surveillance via bogus SSL certificates

Matt Blaze <mab@crypto.com>
March 24, 2010 3:09:19 PM EDT

  [From Dave Farber's IP list]

Over a decade ago, I observed that commercial certificate authorities
protect you from anyone from whom they are unwilling to take money.  That
turns out to be wrong; they don't even do that.

Chris Soghoian and Sid Stamm published a paper today that describes a simple
"appliance"-type box, marketed to law enforcement and intelligence agencies
in the US and elsewhere, that uses bogus certificates issued by *any*
cooperative certificate authority to act as a "man-in-the-middle" for
encrypted web traffic.

Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf

What I found most interesting (and surprising) is that this sort of
surveillance is widespread enough to support fairly mature, turnkey
commercial products.  It carries some significant disadvantages for law
enforcement -- most particularly it can be potentially can be detected.

I briefly discuss the implications of this kind of surveillance at
http://www.crypto.com/blog/spycerts/

Also, Wired has a story here:
http://www.wired.com/threatlevel/2010/03/packet-forensics/

  [IP Archives: https://www.listbox.com/member/archive/247/=now


More on School Webcam Scandal

Gene Wirchenko <genew@ocis.net>
Mon, 22 Mar 2010 13:44:51 -0700

http://www.infoworld.com/d/adventures-in-it/high-school-web-cam-follies-part-ii-dumb-and-dumber-371?source=IFWNLE_nlt_notes_2010-03-22
InfoWorld Home / Adventures in IT / Notes from the Field / Robert X. Cringely
March 22, 2010
High school Webcam follies, part II: Dumb and dumber
The Lower Merion School District's 'Webcamgate' scandal continues.
Cringely updates us on the latest twists and turns

Though it's not getting quite the 24/7 cable news treatment as it garnered
when it first hit the wires, the Webcam scandal in Southeastern Pennsylvania
(aka "Webcamgate") is still twisting and turning in unpredictable ways. We
still don't know exactly what happened, but we do know there are lessons
here for everyone concerned about IT security and personal privacy.


Couldn't logout from Facebook Mobile

<jidanni@jidanni.org>
Mon, 22 Mar 2010 05:48:56 +0800

There I was at a certain university library who had blocked access to
facebook.com. However I found I could still get through to Facebook
Moblie: m.facebook.com. All was hunky-dory until I tried to logout, a
link which surprise, surprise, depends on accessing the main
facebook.com site! So I was forced to rid the cookies and close the browser.


Old models of PS3 failed to connect to network due to

"DoN. Nichols" <dnichols@d-and-d.com>
Fri, 19 Mar 2010 21:12:00 -0500
	leap-year miscalculation (Ishikawa, RISKS-25.96)

I think that the problem was more a miscalculation of the year, as
apparently occurred in some cell-phones and was reported here at the
beginning of the year.

I encountered it in my watch -- a Citizen "Eco" solar-powered watch which
updates itself nightly from whatever time station is most reachable.  (For
the USA, it is WWVB.)  There is one station in Europe, and two in Japan
which it also knows about.

Anyway -- I first became aware of the problem after the rollover from
February 2010 to March 2010.  It started displaying the day of the month one
lower than it should have been.

On going into the setting mode to correct this, I discovered that it thought
that the year was 2016.  Apparently, this had been since the beginning of
2010, but since the year is only displayed in setting mode, it was not
obvious until the rollover.  Since 2010 is not a leap year, but 2016 *is*,
it started calculating the day of the month incorrectly -- presumably from
an internal count of days since the start of the year.

I fixed the date, and it recurred after the nighttime contact with WWVB --
every night, so I just turned off the automatic updates while tracing down
the proper way to get it fixed.

The problem seems to be in the conversion of the BCD coded information from
WWVB to the binary data within the watch.  What it was doing was converting
the bottom four bits to a decimal digit and setting that, then taking the
next four bits and adding it shifted up by four bits -- thus adding a value
of 16 to the total, instead of multiplying the next to LSD by ten and adding
it to the binary value.

Since the upper two digits of the year are correct, I presume that it is
simply using the two lowest digits and adding to 2000 internally.  So -- I
wonder what happens when we reach 2100?  Not likely to be a problem for me,
unless there are some miraculous advances in longevity medicine. :-) And I
have doubts that the battery will last that long, even with proper sun
exposure to keep it charged.  And I also doubt that the battery will remain
in production that long.  So it will probably become non-functional long
before the 2100 date arrives.

To their credit -- once I got in touch with the right part of the Citizen
repair organization (no simple task, given the layout of their web page)
they instantly recognized the problem, told *me* the model of the watch, and
started processing to get me a free shipping via UPS to their site. (I have
about three years of the five year warranty left, but they did not even ask
about that.)

They have just received the watch, and I am now awaiting its return in an
updated state.

Subsequent e-mail with them determined that they had discovered the problem
and sent information to the dealers to send the watches back for a firmware
update (which they are calling a software update).  Some did, and some did
not.

I purchased mine about the time that they discovered the problem and issued
the notice, so I don't know whether it should have been sent back at the
time I got it or not.

The dealer was totally puzzled by the problem, and their own contact with
the repair organization suggested that it was a problem of the battery dying
(and the indicator showed a perfectly good charge on it).  So -- they have a
similarly difficult information channel.  All watches made after the early
part of 2008 were shipped with the firmware fixed.  (I tested one at the
store to make sure of this before I was told that they were fixed by the
repair facility.)

http://www.d-and-d.com/dnichols/DoN.html  Voice: (703) 938-4564

Please report problems with the web pages to the maintainer

Top