David Brooks (*The New York Times* Op Ed, 28 May 2010, A19 Nat'l Edition) had a very timely column that is right in line with many RISKS topics. "If there is one thing we've learned, it is that humans are not great at measuring and responding to risk when placed in situations too complicated to understand." ... "There must be ways to improve the choice architecture --- to help people guard against risk creep, false security, groupthink, the good-news bias [`people tend to spread good news and hide bad news'] and all of the rest."
<http://www.theregister.co.uk/2010/05/12/emals_backfire/> The article describes an incident where, apparently, a test of the US Navy's new Electro-Magnetic Aircraft Launch System (EMALS) failed because it unexpectedly went in reverse, destroying 'important equipment' and delaying the program by several months. The failure has been blamed on a software problem. Given that such a device only has two possible ways to move - forwards or backwards - one wonders just how it happened. However, I'm sure that it is far more complicated than I realise. What is most risky is the attitude of EMALS programme chief Captain Randy Mahr who says, "The things that are delaying me right now are software integration issues, which can be fine-tuned after the equipment is installed in the ship." I think most RISKS readers will agree that on-board ship will be the worst place to finish the software. (However it will be the best place in order to claim to your paymasters that the project is complete and operational - bar a minor software glitch that may not happen again. And even if it does, it may not kill or injure anyone as long as we remember to tell everyone to stand well away from the back of the machine as well as the front.)
Risks tend to be worse when there are independent pieces which may be relatively safe, but put together in unsafe ways. Bad practices also help. Here's a good example with all of the above. As described in RISKS-25.95 and 25.97, a school district in Pennsylvania provided laptops to students equipped with the LanRev software, which allows remotely enabling the camera. While initially claimed to be used to track down stolen units, the school district is alleged to have used the camera to spy on students, including capturing pictures of students in their homes in various states of undress. [The students' lawyers claim that through the discovery process they've found thousands of pictures, which the court is allowing the families to review, which makes the "track down stolen units" argument suspect.] The LanRev software in the laptop works by querying a server every few seconds for commands. It turns out that the software uses a fixed encryption key (the same for all instances of the software worldwide), so once you have the key, if you can get in the middle, you can issue commands to the client that it will believe. The Wired article describing this weakness talks about being on the same network as the laptop (e.g., common Wifi network) to jump in the middle, but of course it can also be done by redirecting the client through DNS or BGP to a site that the attacker controls. And once you can impersonate the server, you can tell the client to do anything, including running arbitrary programs. So the risk is the combination of: * Poor use of encryption (fixed shared key) * Lack of a reliable way to get to a server (no protection against DNS, BGP, or MITM attacks) * Application software running with full system access (lack of least privilege) * Cameras that give no reliable indication of when they're on (there's a light on some cameras, but it's software-controlled - and I'm guessing that LanRev doesn't turn it on since their product is designed to use in case the equipment is stolen to remotely enable the camera) * The purchaser (the school district) not knowing what questions to ask before buying/installing the software [The vendor selling the LanRev software says they're releasing a new version that uses SSL/TLS, which will address many of these problems. Amazing to me that with open source TLS implementations (e.g., OpenSSL), there's anyone still rolling their own crypto....] http://www.wired.com/threatlevel/2010/05/lanrev/
[Source: Joe Shortsleeve, Caller ID Spoofing Puts Innocent Man In Jail, WBZ, 11 MAy 2010] Imagine police bursting into your home, handcuffing you, and then locking you up for days for something you did not do. The I-Team says that is exactly what happened to a Quincy man, and WBZ's Chief Correspondent Joe Shortsleeve says this man was set up by someone using a popular technology. The man does not want people to know his name, but he recounted that cold winter night a year ago when he was making cupcakes in his kitchen. ... http://wbztv.com/local/man.arrested.innocent.2.1686484.html
A company called Meganet has released a product that allows you to eavesdrop on GSM signals. From the "Engadget" article: > The ["Dominator I"] system consists of two nondescript white boxes, two > directional antennas that you'll point in the direction of your victim, > and a laptop that you can use to get a glimpse at all of the phones > currently connected to your nearest cell site and record up to four active > calls simultaneously [...]. It can't do the 128-bit A5/3 used in UMTS, but > now that it's been cracked in a somewhat practical way, we're sure the > Dominator II can't be far behind. http://tinyurl.com/2wdsu6y http://www.engadget.com/2010/05/10/meganets-dominator-i-snoops-on-four-gsm-convos-at-once-fits-in/ The product is not yet listed on their web page: http://www.meganet.com/ Time to change the cipher I guess.
[Source: Peter Schworm, *The Boston Globe*, 10 May 2010; PGN-ed] Newton MA is acquiring three $50K automatic license plate recognition devices with a panoramic video camera, laptop computer, and sophisticated software to detect cars that have been parked too long that sounds an alert to write a ticket. Similar technology has been put to use by a number of police departments across the state in recent years, but largely to enforce outstanding arrest warrants or hunt for serious offenders. Some communities, including Boston, use such a system to locate repeat parking offenders. http://www.boston.com/news/local/massachusetts/articles/2010/05/10/newton_goes_high_tech_vs_parking_violators/
Device design for gathering data and billing rather than safety? [Source: Jason Roberson, Hospitals criticized over offers to earn or save money by sharing electronic patient data, *The Dallas Morning News* item, 18 May 2010, thanks to dkross. PGN-ed] http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html “The $45 billion set aside for electronic health records in the federal government's 2009 stimulus package created a carrot-and-stick approach to lure providers into the electronic age. Physician practices could be paid up to $44,000 over five years, and hospitals could get a maximum of $15.9 million to install systems that comply with federal rules. On the other hand, the government would penalize providers that don't participate, reducing their Medicare and Medicaid payments by 1 percent beginning in 2015. In later years, the penalty grows to 3 percent.'' But with the promises of efficiency come questions of privacy. Dallas-based Tenet Healthcare Corp.'s vendor has been criticized for sharing patient data with drug companies. Fort Worth's Cook Children's Health Care System potential vendor may offer physician customers discounts for sharing patient data. Three other hospitals anticipate sharing records. Dr. Deborah Peel, founder of Patient Privacy Rights, questions whether a patient's most confidential information in their medical records, such as psychological treatment or HIV testing, will be secure at those hospitals. "Once your information is released, it's like a sex tape that lives in perpetuity in cyberspace," Peel said. "You can never get it back." http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html
[From D.K.Ross] http://manhattan.ny1.com/content/top_stories/119355/heart-tests-went-unread-for-years-at-harlem-hospital
Apologies for the self promotion, but I keep getting good feedback for my simple, non-technical method of determining Business Continuity Management agility: 1. Take a copy of your BCM/BCP guide. 2. Carry it to a safe place. 3. Set fire to it and measure how long it burns. Background here: http://bit.ly/alOheK. Given that these manuals can serve in possible loss-of-life situations I'm not quite sure how someone can supply this in good conscience, but I'm positive this will start a healthy debate.
http://www.telegraph.co.uk/news/worldnews/northamerica/usa/7691500/Cyber-attack-could-fell-US-within-15-minutes.html The US must prepare itself for a full-scale cyber attack which could cause death and destruction across the country in less than 15 minutes, according to Richard Clarke, former anti-terrorism Tsar to Bill Clinton and George W Bush. Clarke claims that America's lack of preparation for the annexing of its computer system by terrorists could lead to an "electronic Pearl Harbor". In his warning, Mr Clarke paints a doomsday scenario in which the problems start with the collapse of one of Pentagon's computer networks. [Source: Alex Spillius in Washington, *The Telegraph*, 07 May 2010; PGNed]
[From the Network Neutrality Squad list] Galaxy 15 satellite out of control, posing interference threat to other satellites http://bit.ly/bjrL9m (Christian Science Monitor)
*The Denver Post* http://www.denverpost.com/ci_15117714 The correct prize for an apparent $42.9 million slot machine jackpot that a Thornton woman hit at a Central City casino should have been $20.18, Colorado gaming regulators said [19 May 2010]. The errant jackpot appeared on a "Price is Right" penny slot at Fortune Valley Hotel & Casino on March 26 after Louise Chavez made a minimum bet of 40 cents. The Colorado Division of Gaming's forensic investigation found that the slot machine malfunctioned and displayed the wrong payout because of errors in "mathematical calculations built into the game software." Interesting that it was a mathematical error, and not a mechanical one. I guess someone missed testing this corner case! Certainly in this case, the Price WASN'T Right! Jim Reisert AD1C, <firstname.lastname@example.org>, http://www.ad1c.us
Mom who cheated on husband says Rogers bill outed her affair and broke up her marriage because her Rogers cellphone bill exposed her extramarital affair, and is suing Rogers. [Source: "The Daily News" of Kamloops, BC, Canada, 2010-05-18, p. A7; PGNed] Well, this is an interesting mess. This raises questions. The answers will vary by jurisdiction. * When can a service provider combine billing? What are the privacy implications, and how are they covered by law? * If the invoice and surrounding matters are evidence for this trial, what about a claim by the ex-husband for breach of marriage contract? Note that the husband is not limited to seeking merely $600,000, but might seek more. * While adultery is not a criminal offence in Canada, it is grounds for divorce. Consequently, it is reasonable to argue that adultery is not in the public interest. Criminal activity would not be protected by privacy laws, but should such a situation be protected? Would the answer change if the husband caught a sexually-transmitted disease as a result of his wife's affair? Why or why not?
I guess most readers remember the story when a remote administration program "Absolute Manage" was used to spy on students at home via their laptop web-cams. Recent analysis <http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere> shows that one does not need to be a sysadmin in that school to exploit it. Turns out that software uses a fixed (hard-coded) Blowfish key for all its encryption and a 7-digit number (SeedValue) for authentication. As a result all communication can be easily decrypted once intercepted. In addition it is possible in about four hours of guessing to find the SeedValue used by each client for its server authentication (the same number is used by all clients of a server) and send commands to a client even without a need for network data interception.
Search more securely with encrypted Google Web search, 21 May 2010 As people spend more time on the Internet, they want greater control over who has access to their online communications. Many Internet services use what are known as Secure Sockets Layer (SSL) connections to encrypt information that travels between your computer and their service. Usually recognized by a web address starting with "https" or a browser lock icon, this technology is regularly used by online banking sites and e-commerce websites. Other sites may also implement SSL in a more limited fashion, for example, to help protect your passwords when you enter your login information. Years ago Google added SSL encryption to products ranging from Gmail to Google Docs and others, and we continue to enable encryption on more services. Like banking and e-commerce sites, Google's encryption extends beyond login passwords to the entire service. This session-wide encryption is a significant privacy advantage over systems that only encrypt login pages and credit card information. Early this year, we took an important step forward by making SSL the default setting for all Gmail users. And today we're gradually rolling out a new choice to search more securely at https://www.google.com. ... http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html SSL Search http://www.google.com/support/websearch/bin/answer.py?answer=173733&hl=en
An article that originally appeared in Bits, one of the online Blogs maintained by staff of *The New York Times* has been repeated on the first business page of today's paper. Apparently, it has been disclosed that Google's Streetview imaging vehicles were also taking note of Wi-Fi networks they encountered in their surveys. The details of what happened are contained in the underlying Google blog post at: http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html It appears to be a case of code reuse with under-appreciated side effects. Then again, unencrypted Wi-Fi should probably only be used for otherwise encrypted traffic (e.g., VPN, SSH, HTTPS) with properly administered keys. All in all, since the Google Streetview vehicles were not in any one place for any length of time, the danger of this is low. It is certainly not cost effective for an organization to trawl through a large geographic space looking for interesting data. The hazard is more credible with more local, non-roving threats, who acquire data over a longer period of time. Morals of the story: 1) Encrypt your home network 2) Use public Wi-Fi as a carrier for otherwise enciphered traffic I noted the utility of public, unencrypted Wi-Fi as a "dial-tone" for otherwise secured communications (e.g., VPN) in a series of talks under the auspices of the IEEE Computer Society Distinguished Visitor Program. "Safe Computing in the Age of Ubiquitous Connectivity", a paper presenting this material was presented at LISAT 2007. A reprint of this paper is available at: http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html The New York Times article is at: http://www.nytimes.com/2010/05/15/business/15google.html?hpw CNN/Money has also published an account, at: http://money.cnn.com/2010/05/14/technology/Google_mistaken_wifi_collection/index.htm Bob Gezelter, http://www.rlgsc.com
IBM distributes virus-laden USB keys at security conference ASHER MOSES May 21, 2010 IBM has been left with egg on its face after it distributed virus-laden USB keys to attendees at Australia's biggest computer security conference. Delegates of the AusCERT conference, held over the past week at the Royal Pines Resort on the Gold Coast, were told about the malware problem in a warning email this afternoon by IBM Australia chief technologist Glenn Wightwick. The incident is ironic because conference attendees include the who's who of the computer security world and IBM was there to show off its security credentials. ... http://www.smh.com.au/technology/security/ibm-distributes-virusladen-usb-keys-at-security-conference-20100521-w1gv.html
[Source: Palmer/Maija, *Financial Times* 26 May 2010; Excerpted from ACM TechNews, 26 May 2010. PGN] University of Reading scientist Mark Gasson has deliberately infected himself with a computer virus in order to study the potential risks of implanting electronic devices in humans. Gasson implanted a radio frequency identification chip into his left hand last year. The chip, which is about the size of a grain of rice, gives him secure access to Reading's buildings and his mobile phone. Gasson then introduced a computer virus into the chip. He says the infected microchip contaminated the system that was used to communicate with it, and notes that it would have infected any other devices it was connected to. Gasson says the experiment provides a "glimpse at the problems of tomorrow," considering devices such as heart pacemakers and cochlear implants are essentially mini-computers that communicate, store, and manipulate data. "This means that, like mainstream computers, they can be infected by viruses and the technology will need to keep pace with this so that implants, including medical devices, can be safely used in the future," he says. http://www.ft.com/cms/s/0/2e2f5ea4-68b5-11df-96f1-00144feab49a.html
As a former Microsoft MVP myself, I append a note of caution to M. Brady's pointing to a Usenet conversation between one Microsoft MVP (Robear Dyer) and xyrself, misattributed to "the MS MVPs". MVPs don't represent Microsoft in any way. Nor do MVPs work for Microsoft. (Robear Dyer's potted autobiography at James A. Eshelman's Windows Support Centre WWW site states that xe works for a vineyard.) MVPs are helpful experts that Microsoft has chosen to recognize for their on-line contributions. They are not a formal organization or a club, with a collective voice, but individuals in receipt of (annual) awards of a title. For more information, read http://mvps.org./about/ and http://aumha.org./ as well as, of course, Microsoft's own WWW pages about the MVP award programme.
A *NYTimes* story debunks the fat finger theory and the problem of individual markets trying to correct these aberrations. http://www.nytimes.com/2010/05/14/business/14norris.html?ref=business It also calls to mind the recent understanding of rogue waves (http://en.wikipedia.org/wiki/Rogue_wave) which didn't fit into the classic models. As per the NYT article I don't want to claim any understanding of the particular complex phenomena but I do feel that our tendency towards analog continuous models fail us when digital or quantizing effects are interacting.
[NNSquad] L.A. newsradio station KNX has been running a series on how various entities -- real estate agents, landlords, banks, and other financial institutions, are using the data they find on Facebook to make decisions about real-world matters with tremendous impact on individual lives. Say too much, and you might get burned. Look like you're too private, and they might think you're hiding something. The entire series to date is available here: http://bit.ly/aPRDCa (KNX 1070 Los Angeles)
Garret writes of a passive RFID device that xe does not have to be in direct physical possession of, or even know the location of; that xe doesn't have to formally present to a security device, or take any overt action in order to operate; that a miscreant with suitable transponders located near to M. Garret's home/hotel room/backpack can make use of remotely, without necessarily trespassing upon M. Garret's property at all or having any sort of physical access to xyr belongings or even cracking the encryption; that will nonetheless enable M. Garret and such miscreants to access and to drive M. Garret's (rented) car. These are not new problems, of course. Bruce Schneier and Avi Rubin, amongst others, wrote about them almost half a decade ago. My first reaction, upon reading this latest article, was blunt: Why is anybody still calling such devices "keys"? They are clearly not. Perhaps RISKS readers can come up with more suitable names.
Quite a few of our RISKS readers pointed out that the long message from Edward Nilges in the previous issue was not really an appropriate item nor was it sufficiently related to Computer-Related Risks, suggesting that I erred in including it in RISKS-26.06. I agree. I erred, and apologize.
Please report problems with the web pages to the maintainer