The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 07

Saturday 29 May 2010

Contents

Drilling for Certainty
David Brooks via PGN
US Navy's Electro-Magnetic Aircraft Launch System software problem
Bruce Horrocks
It's not just the camera in the laptop
Jeremy Epstein
Caller ID Spoofing Puts Innocent Man In Jail
Joe Shortsleeve via Monty Solomon
Pre-canned GSM eavesdropping
David Magda
Video eye to scan for Newton parking lapsesm, will speed ticketing
Peter Schworm via Monty Solomon
Trafficking in Human Data
Jason Roberson via PGN
4000 echocardiograms lost on a computer read by technicians
DKRoss via PGN
Measuring crisis response time
Peter Houppermans
Cyber attack 'could fell US within 15 minutes'
Matthew Kruk
Galaxy 15 satellite out of control, posing interference threat
Lauren Weinstein
$42.9 million slot jackpot should have been $20
Jim Reisert
Affair outed by cellphone records
Gene Wirchenko
Risks of remote administration, especially with bad crypto
Alexander Klimov
Encrypted Google Web search
Google via Monty Solomon
Google Streetview inadvertently Captured Unencrypted Wi-Fi Data
Bob Gezelter
IBM distributes virus-laden USB keys at security conference
Matthew Kruk
Scientist Infects Himself With Computer Virus
Palmer/Maija
Re: More Virus Protection Woes
Jonathan de Boyne Pollard
Re: The Stock Market Fiasco of 6 May 2010
Bob Frankston
KNX: "Think Before You Friend!"—How Facebook Can Seriously Bite
Lauren Weinstein
Re: Risks of RFID car keys
Jonathan de Boyne Pollard
Re: Wikipedia risks to personal reputation
RISKS-26.06
Info on RISKS (comp.risks)

Drilling for Certainty

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 21 May 2010 20:11:19 PDT

David Brooks (*The New York Times* Op Ed, 28 May 2010, A19 Nat'l Edition)
had a very timely column that is right in line with many RISKS topics.

  "If there is one thing we've learned, it is that humans are not great
  at measuring and responding to risk when placed in situations too
  complicated to understand." ... "There must be ways to improve the choice
  architecture --- to help people guard against risk creep, false security,
  groupthink, the good-news bias [`people tend to spread good news and hide
  bad news'] and all of the rest."


US Navy's Electro-Magnetic Aircraft Launch System software problem

Bruce Horrocks <bruce@scorecrow.com>
Wed, 12 May 2010 19:16:11 +0100

<http://www.theregister.co.uk/2010/05/12/emals_backfire/>

The article describes an incident where, apparently, a test of the US Navy's
new Electro-Magnetic Aircraft Launch System (EMALS) failed because it
unexpectedly went in reverse, destroying 'important equipment' and delaying
the program by several months. The failure has been blamed on a software
problem.

Given that such a device only has two possible ways to move - forwards or
backwards - one wonders just how it happened. However, I'm sure that it is
far more complicated than I realise.

What is most risky is the attitude of EMALS programme chief Captain Randy
Mahr who says, "The things that are delaying me right now are software
integration issues, which can be fine-tuned after the equipment is installed
in the ship."

I think most RISKS readers will agree that on-board ship will be the worst
place to finish the software. (However it will be the best place in order to
claim to your paymasters that the project is complete and operational - bar
a minor software glitch that may not happen again. And even if it does, it
may not kill or injure anyone as long as we remember to tell everyone to
stand well away from the back of the machine as well as the front.)


It's not just the camera in the laptop

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 21 May 2010 08:47:22 -0400

Risks tend to be worse when there are independent pieces which may be
relatively safe, but put together in unsafe ways.  Bad practices also help.
Here's a good example with all of the above.

As described in RISKS-25.95 and 25.97, a school district in Pennsylvania
provided laptops to students equipped with the LanRev software, which allows
remotely enabling the camera.  While initially claimed to be used to track
down stolen units, the school district is alleged to have used the camera to
spy on students, including capturing pictures of students in their homes in
various states of undress.  [The students' lawyers claim that through the
discovery process they've found thousands of pictures, which the court is
allowing the families to review, which makes the "track down stolen units"
argument suspect.]

The LanRev software in the laptop works by querying a server every few
seconds for commands.  It turns out that the software uses a fixed
encryption key (the same for all instances of the software worldwide), so
once you have the key, if you can get in the middle, you can issue commands
to the client that it will believe.  The Wired article describing this
weakness talks about being on the same network as the laptop (e.g., common
Wifi network) to jump in the middle, but of course it can also be done by
redirecting the client through DNS or BGP to a site that the attacker
controls.  And once you can impersonate the server, you can tell the client
to do anything, including running arbitrary programs.

So the risk is the combination of:
* Poor use of encryption (fixed shared key)
* Lack of a reliable way to get to a server (no protection against DNS, BGP,
  or MITM attacks)
* Application software running with full system access (lack of least
  privilege)
* Cameras that give no reliable indication of when they're on (there's a
  light on some cameras, but it's software-controlled - and I'm guessing
  that LanRev doesn't turn it on since their product is designed to use in
  case the equipment is stolen to remotely enable the camera)
* The purchaser (the school district) not knowing what questions to ask
  before buying/installing the software

[The vendor selling the LanRev software says they're releasing a new version
that uses SSL/TLS, which will address many of these problems.  Amazing to me
that with open source TLS implementations (e.g., OpenSSL), there's anyone
still rolling their own crypto....]

http://www.wired.com/threatlevel/2010/05/lanrev/


Caller ID Spoofing Puts Innocent Man In Jail (Joe Shortsleeve)

Monty Solomon <monty@roscom.com>
Wed, 12 May 2010 21:37:28 -0400

[Source: Joe Shortsleeve, Caller ID Spoofing Puts Innocent Man In Jail, WBZ,
11 MAy 2010]

Imagine police bursting into your home, handcuffing you, and then locking
you up for days for something you did not do.  The I-Team says that is
exactly what happened to a Quincy man, and WBZ's Chief Correspondent Joe
Shortsleeve says this man was set up by someone using a popular technology.
The man does not want people to know his name, but he recounted that cold
winter night a year ago when he was making cupcakes in his kitchen. ...

http://wbztv.com/local/man.arrested.innocent.2.1686484.html


Pre-canned GSM eavesdropping

"David Magda" <dmagda@ee.ryerson.ca>
Tue, 11 May 2010 11:47:56 -0400

A company called Meganet has released a product that allows you to
eavesdrop on GSM signals. From the "Engadget" article:

> The ["Dominator I"] system consists of two nondescript white boxes, two
> directional antennas that you'll point in the direction of your victim,
> and a laptop that you can use to get a glimpse at all of the phones
> currently connected to your nearest cell site and record up to four active
> calls simultaneously [...]. It can't do the 128-bit A5/3 used in UMTS, but
> now that it's been cracked in a somewhat practical way, we're sure the
> Dominator II can't be far behind.

http://tinyurl.com/2wdsu6y
http://www.engadget.com/2010/05/10/meganets-dominator-i-snoops-on-four-gsm-convos-at-once-fits-in/

The product is not yet listed on their web page:

http://www.meganet.com/

Time to change the cipher I guess.


Video eye to scan for Newton parking lapses, will speed ticketing

Monty Solomon <monty@roscom.com>
Sun, 16 May 2010 17:08:26 -0400

[Source: Peter Schworm, *The Boston Globe*, 10 May 2010; PGN-ed]

Newton MA is acquiring three $50K automatic license plate recognition
devices with a panoramic video camera, laptop computer, and sophisticated
software to detect cars that have been parked too long that sounds an alert
to write a ticket.

Similar technology has been put to use by a number of police departments
across the state in recent years, but largely to enforce outstanding arrest
warrants or hunt for serious offenders.  Some communities, including Boston,
use such a system to locate repeat parking offenders.

http://www.boston.com/news/local/massachusetts/articles/2010/05/10/newton_goes_high_tech_vs_parking_violators/


Trafficking in Human Data (Jason Roberson)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 20 May 2010 18:50:55 PDT

Device design for gathering data and  billing rather than safety?

[Source: Jason Roberson, Hospitals criticized over offers to earn or save
money by sharing electronic patient data, *The Dallas Morning News* item, 18
May 2010, thanks to dkross.  PGN-ed]
http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html

“The $45 billion set aside for electronic health records in the federal
government's 2009 stimulus package created a carrot-and-stick approach to
lure providers into the electronic age.  Physician practices could be paid
up to $44,000 over five years, and hospitals could get a maximum of $15.9
million to install systems that comply with federal rules.  On the other
hand, the government would penalize providers that don't participate,
reducing their Medicare and Medicaid payments by 1 percent beginning in
2015. In later years, the penalty grows to 3 percent.''

But with the promises of efficiency come questions of privacy.  Dallas-based
Tenet Healthcare Corp.'s vendor has been criticized for sharing patient data
with drug companies. Fort Worth's Cook Children's Health Care System
potential vendor may offer physician customers discounts for sharing patient
data.  Three other hospitals anticipate sharing records.

Dr. Deborah Peel, founder of Patient Privacy Rights, questions whether a
patient's most confidential information in their medical records, such as
psychological treatment or HIV testing, will be secure at those hospitals.
"Once your information is released, it's like a sex tape that lives in
perpetuity in cyberspace," Peel said. "You can never get it back."

http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html


4000 echocardiograms lost on a computer read by technicians

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 28 May 2010 15:13:27 PDT

  [From D.K.Ross]

http://manhattan.ny1.com/content/top_stories/119355/heart-tests-went-unread-for-years-at-harlem-hospital


Measuring crisis response time

Peter Houppermans <peter@houppermans.com>
Fri, 28 May 2010 12:18:01 +0200

Apologies for the self promotion, but I keep getting good feedback for my
simple, non-technical method of determining Business Continuity Management
agility:

  1. Take a copy of your BCM/BCP guide.
  2. Carry it to a safe place.
  3. Set fire to it and measure how long it burns.

Background here: http://bit.ly/alOheK.

Given that these manuals can serve in possible loss-of-life situations I'm
not quite sure how someone can supply this in good conscience, but I'm
positive this will start a healthy debate.


Cyber attack 'could fell US within 15 minutes'

"Matthew Kruk" <mkrukg@gmail.com>
Sat, 8 May 2010 17:14:06 -0600

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/7691500/Cyber-attack-could-fell-US-within-15-minutes.html

The US must prepare itself for a full-scale cyber attack which could cause
death and destruction across the country in less than 15 minutes, according
to Richard Clarke, former anti-terrorism Tsar to Bill Clinton and George W
Bush.  Clarke claims that America's lack of preparation for the annexing of
its computer system by terrorists could lead to an "electronic Pearl
Harbor".  In his warning, Mr Clarke paints a doomsday scenario in which the
problems start with the collapse of one of Pentagon's computer networks.
[Source: Alex Spillius in Washington, *The Telegraph*, 07 May 2010; PGNed]


Galaxy 15 satellite out of control, posing interference threat

Lauren Weinstein <lauren@vortex.com>
Sun, 9 May 2010 17:25:59 -0700

  [From the Network Neutrality Squad list]

Galaxy 15 satellite out of control, posing interference threat to
other satellites
http://bit.ly/bjrL9m  (Christian Science Monitor)


$42.9 million slot jackpot should have been $20

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 19 May 2010 15:28:47 -0600

*The Denver Post*
http://www.denverpost.com/ci_15117714

The correct prize for an apparent $42.9 million slot machine jackpot that a
Thornton woman hit at a Central City casino should have been $20.18,
Colorado gaming regulators said [19 May 2010].  The errant jackpot appeared
on a "Price is Right" penny slot at Fortune Valley Hotel & Casino on March
26 after Louise Chavez made a minimum bet of 40 cents.

The Colorado Division of Gaming's forensic investigation found that the slot
machine malfunctioned and displayed the wrong payout because of errors in
"mathematical calculations built into the game software."

Interesting that it was a mathematical error, and not a mechanical one.  I
guess someone missed testing this corner case!  Certainly in this case, the
Price WASN'T Right!

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Affair outed by cellphone records

Gene Wirchenko <genew@ocis.net>
Tue, 18 May 2010 09:07:53 -0700

  Mom who cheated on husband says Rogers bill outed her affair and broke up
  her marriage because her Rogers cellphone bill exposed her extramarital
  affair, and is suing Rogers.  [Source: "The Daily News" of Kamloops, BC,
  Canada, 2010-05-18, p. A7; PGNed]

Well, this is an interesting mess.  This raises questions.  The answers will
vary by jurisdiction.

* When can a service provider combine billing?  What are the privacy
  implications, and how are they covered by law?

* If the invoice and surrounding matters are evidence for this trial, what
  about a claim by the ex-husband for breach of marriage contract?  Note
  that the husband is not limited to seeking merely $600,000, but might seek
  more.

* While adultery is not a criminal offence in Canada, it is grounds for
  divorce.  Consequently, it is reasonable to argue that adultery is not in
  the public interest.  Criminal activity would not be protected by privacy
  laws, but should such a situation be protected?  Would the answer change
  if the husband caught a sexually-transmitted disease as a result of his
  wife's affair?  Why or why not?


Risks of remote administration, especially with bad crypto

Alexander Klimov <alserkli@inbox.ru>
Tue, 25 May 2010 15:32:33 +0300

I guess most readers remember the story when a remote administration
program "Absolute Manage" was used to spy on students at home via
their laptop web-cams. Recent analysis
<http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere>
shows that one does not need to be a sysadmin in that school to
exploit it.

Turns out that software uses a fixed (hard-coded) Blowfish key for all its
encryption and a 7-digit number (SeedValue) for authentication. As a result
all communication can be easily decrypted once intercepted.  In addition it
is possible in about four hours of guessing to find the SeedValue used by
each client for its server authentication (the same number is used by all
clients of a server) and send commands to a client even without a need for
network data interception.


Encrypted Google Web search

Monty Solomon <monty@roscom.com>
Sat, 22 May 2010 09:22:43 -0400

Search more securely with encrypted Google Web search, 21 May 2010

As people spend more time on the Internet, they want greater control over
who has access to their online communications. Many Internet services use
what are known as Secure Sockets Layer (SSL) connections to encrypt
information that travels between your computer and their service. Usually
recognized by a web address starting with "https" or a browser lock icon,
this technology is regularly used by online banking sites and e-commerce
websites. Other sites may also implement SSL in a more limited fashion, for
example, to help protect your passwords when you enter your login
information.

Years ago Google added SSL encryption to products ranging from Gmail to
Google Docs and others, and we continue to enable encryption on more
services. Like banking and e-commerce sites, Google's encryption extends
beyond login passwords to the entire service. This session-wide encryption
is a significant privacy advantage over systems that only encrypt login
pages and credit card information.  Early this year, we took an important
step forward by making SSL the default setting for all Gmail users. And
today we're gradually rolling out a new choice to search more securely at
https://www.google.com. ...

http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html

SSL Search
http://www.google.com/support/websearch/bin/answer.py?answer=173733&hl=en


Google Streetview inadvertently Captured Unencrypted Wi-Fi Data

Bob Gezelter <gezelter@rlgsc.com>
Sat, 15 May 2010 06:43:38 -0500

An article that originally appeared in Bits, one of the online Blogs
maintained by staff of *The New York Times* has been repeated on the
first business page of today's paper.

Apparently, it has been disclosed that Google's Streetview imaging vehicles
were also taking note of Wi-Fi networks they encountered in their surveys.
The details of what happened are contained in the underlying Google blog
post at:
  http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

It appears to be a case of code reuse with under-appreciated side effects.
Then again, unencrypted Wi-Fi should probably only be used for otherwise
encrypted traffic (e.g., VPN, SSH, HTTPS) with properly administered keys.

All in all, since the Google Streetview vehicles were not in any one place
for any length of time, the danger of this is low. It is certainly not cost
effective for an organization to trawl through a large geographic space
looking for interesting data. The hazard is more credible with more local,
non-roving threats, who acquire data over a longer period of time.

Morals of the story:
  1) Encrypt your home network
  2) Use public Wi-Fi as a carrier for otherwise enciphered traffic

I noted the utility of public, unencrypted Wi-Fi as a "dial-tone" for
otherwise secured communications (e.g., VPN) in a series of talks under the
auspices of the IEEE Computer Society Distinguished Visitor Program.  "Safe
Computing in the Age of Ubiquitous Connectivity", a paper presenting this
material was presented at LISAT 2007. A reprint of this paper is available
at: http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html

The New York Times article is at:
  http://www.nytimes.com/2010/05/15/business/15google.html?hpw

CNN/Money has also published an account, at:
  http://money.cnn.com/2010/05/14/technology/Google_mistaken_wifi_collection/index.htm

Bob Gezelter, http://www.rlgsc.com


IBM distributes virus-laden USB keys at security conference

"Matthew Kruk" <mkrukg@gmail.com>
Sat, 22 May 2010 13:34:41 -0600

IBM distributes virus-laden USB keys at security conference
ASHER MOSES
May 21, 2010

IBM has been left with egg on its face after it distributed virus-laden USB
keys to attendees at Australia's biggest computer security conference.

Delegates of the AusCERT conference, held over the past week at the Royal
Pines Resort on the Gold Coast, were told about the malware problem in a
warning email this afternoon by IBM Australia chief technologist Glenn
Wightwick.

The incident is ironic because conference attendees include the who's who of
the computer security world and IBM was there to show off its security
credentials. ...

http://www.smh.com.au/technology/security/ibm-distributes-virusladen-usb-keys-at-security-conference-20100521-w1gv.html


Scientist Infects Himself With Computer Virus

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 26 May 2010 16:24:36 PDT

[Source: Palmer/Maija, *Financial Times* 26 May 2010;
Excerpted from ACM TechNews, 26 May 2010.  PGN]

University of Reading scientist Mark Gasson has deliberately infected
himself with a computer virus in order to study the potential risks of
implanting electronic devices in humans.  Gasson implanted a radio frequency
identification chip into his left hand last year.  The chip, which is about
the size of a grain of rice, gives him secure access to Reading's buildings
and his mobile phone.  Gasson then introduced a computer virus into the
chip.  He says the infected microchip contaminated the system that was used
to communicate with it, and notes that it would have infected any other
devices it was connected to.  Gasson says the experiment provides a "glimpse
at the problems of tomorrow," considering devices such as heart pacemakers
and cochlear implants are essentially mini-computers that communicate,
store, and manipulate data.  "This means that, like mainstream computers,
they can be infected by viruses and the technology will need to keep pace
with this so that implants, including medical devices, can be safely used in
the future," he says.
  http://www.ft.com/cms/s/0/2e2f5ea4-68b5-11df-96f1-00144feab49a.html


Re: More Virus Protection Woes (Brady, RISKS 26.04)

Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@ntlworld.com>
Sat, 08 May 2010 13:33:02 +0100

As a former Microsoft MVP myself, I append a note of caution to M. Brady's
pointing to a Usenet conversation between one Microsoft MVP (Robear Dyer)
and xyrself, misattributed to "the MS MVPs".  MVPs don't represent Microsoft
in any way.  Nor do MVPs work for Microsoft.  (Robear Dyer's potted
autobiography at James A. Eshelman's Windows Support Centre WWW site states
that xe works for a vineyard.)  MVPs are helpful experts that Microsoft has
chosen to recognize for their on-line contributions.  They are not a formal
organization or a club, with a collective voice, but individuals in receipt
of (annual) awards of a title.

For more information, read http://mvps.org./about/ and
http://aumha.org./ as well as, of course, Microsoft's own WWW pages
about the MVP award programme.


Re: The Stock Market Fiasco of 6 May 2010 (RISKS-26.06)

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
Fri, 14 May 2010 11:43:04 -0400

A *NYTimes* story debunks the fat finger theory and the problem of
individual markets trying to correct these aberrations.
http://www.nytimes.com/2010/05/14/business/14norris.html?ref=business It
also calls to mind the recent understanding of rogue waves
(http://en.wikipedia.org/wiki/Rogue_wave) which didn't fit into the classic
models. As per the NYT article I don't want to claim any understanding of
the particular complex phenomena but I do feel that our tendency towards
analog continuous models fail us when digital or quantizing effects are
interacting.


KNX: "Think Before You Friend!"—How Facebook Can Seriously Bite

Lauren Weinstein <lauren@vortex.com>
Thu, 13 May 2010 16:55:30 -0700

  [NNSquad]

L.A. newsradio station KNX has been running a series on how various entities
-- real estate agents, landlords, banks, and other financial institutions,
are using the data they find on Facebook to make decisions about real-world
matters with tremendous impact on individual lives.  Say too much, and you
might get burned.  Look like you're too private, and they might think you're
hiding something.

The entire series to date is available here:
  http://bit.ly/aPRDCa  (KNX 1070 Los Angeles)


Re: Risks of RFID car keys (Garret, RISKS-26.04)

Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@ntlworld.com>
Sat, 08 May 2010 13:35:49 +0100

Garret writes of a passive RFID device that xe does not have to be in direct
physical possession of, or even know the location of; that xe doesn't have
to formally present to a security device, or take any overt action in order
to operate; that a miscreant with suitable transponders located near to
M. Garret's home/hotel room/backpack can make use of remotely, without
necessarily trespassing upon M. Garret's property at all or having any sort
of physical access to xyr belongings or even cracking the encryption; that
will nonetheless enable M. Garret and such miscreants to access and to drive
M. Garret's (rented) car.  These are not new problems, of course.  Bruce
Schneier and Avi Rubin, amongst others, wrote about them almost half a
decade ago.  My first reaction, upon reading this latest article, was blunt:
Why is anybody still calling such devices "keys"?  They are clearly not.

Perhaps RISKS readers can come up with more suitable names.


Re: Wikipedia risks to personal reputation (RISKS-26.06)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 19 May 2010 14:32:06 PDT

Quite a few of our RISKS readers pointed out that the long message from
Edward Nilges in the previous issue was not really an appropriate item nor
was it sufficiently related to Computer-Related Risks, suggesting that I
erred in including it in RISKS-26.06.  I agree.  I erred, and apologize.

Please report problems with the web pages to the maintainer

Top