The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 14

Monday 30 August 2010

Contents

Hot debate over Electronic Voting Machines
Joseph Lorenzo Hall
Jeff Burbank: License to Steal
PGN
BC Online Casino taken offline within hours
Kelly Bert Manning
Crooks Crack Check Image Sites, Steal $9 Million - The Consumerist
Ben Popken via Davide Restivo and Dave Farber
iPhone jailbreak opens world of questions
Raj Mathur
Muni gets time wrong; 510 drivers get a ticket
Paul Saffo
No fail-safe linkage? 12-year-old paralyzed by ride
PGN
Cutoff of YouTube in Siberia due to a single video
Lauren Weinstein
Mac_OS_X_Mail_parental_controls_vulnerability
Jonathan Kamens
Stalkers Exploit Cellphone GPS
Justin Scheck via Monty Solomon
Agency stored body images from Florida courthouse
Mike M. Ahlers via PGN
New law bans texting while driving
Monty Solomon
Re: BP: "Will no one rid me of this turbulent alarm?"
Steven Bellovin
WSJ: What Do Online Advertisers Know About You?
Tim Jones via Monty Solomon
Re: Quiet electric & hybrid cars endanger ...
ishikawa
Re: Risks of free-text fields in medical records
Thor Lancelot Simon
Info on RISKS (comp.risks)

Hot debate over Electronic Voting Machines

Joseph Lorenzo Hall <joehall@gmail.com>
Wed, 11 Aug 2010 08:50:42 -0400

The recent EVT/WOTE workshop at USENIX Security featured a panel on 9 Aug
2010 [It was very lively and quite contentious.  PGN!] about Indian voting
machines, and related developments involving Indian law enforcement's
interest in one of the Indian hackers involved.  This is a story from *The
Hindu Times* covering the debate and subsequent developments.  [Joseph
Lorenzo Hall, ACCURATE Postdoctoral Research Associate, UC Berkeley School
of Information and Princeton Center for Information Technology Policy
http://josephhall.org/]

Narayan Lakshman, Hot debate over Electronic Voting Machines,
*The Hindu Times*, 11 Aug 2010
http://www.thehindu.com/news/international/article562910.ece?homepage=true

This week the debate on whether electronic voting machines (EVMs) in India
are tamper-proof, reached boiling point in far-away Washington, as a
representative of the Election Commission of India (ECI) and an American
university professor clashed publicly over contradictory claims regarding
the machines.

The controversy was stoked at an industry conference on EVMs, where Alok
Shukla, Deputy Election Commissioner at the ECI and Alex Halderman,
Assistant Professor of electrical engineering and computer science at the
University of Michigan, also put forth different accounts regarding the case
of Hari Prasad, a colleague of Mr.  Halderman who was alleged to have
appeared on Indian television with an EVM that he procured from unnamed
sources. ...

Vulnerable to `dishonest display'

Yet, Mr. Halderman noted that based on the experiments that he and his
colleagues had undertaken, they could demonstrate that EVMs were vulnerable
firstly to the so-called `dishonest display' attack whereby a
microcontroller and a Bluetooth radio chip could be smuggled into the device
using a genuine-looking display board. Through the use of these devices,
which Mr. Halderman said he had assembled at the cost of “just a few
dollars,'' the attacker could then signal which candidates should receive
stolen votes via a Bluetooth smart phone.

Electronic booth capture

Second, Mr. Halderman alleged, the Indian EVM was also susceptible to attack
through the use of an electronic clip, which attached directly to the EVM
chips and could rewrite the votes stored there. Not only could the votes be
changed through this “electronic form of booth capture,'' but the secrecy
of election data could also be violated as the clip would allow the attacker
to copy out the votes stored.

Further, Mr. Halderman said that the paper, wax and string seals used to
protect EVMs had been “widely discredited'' and were entirely vulnerable to
tampering.  “Machines [are] stored around the country in a variety of
locations, from abandoned warehouses to schools, etc.  [and it is] likely
many of them could be accessed by criminals, especially with the aid of
dishonest insiders,'' Mr. Halderman said.

Substantiating these arguments, Indian pollster G.V.L. Narasimha Rao said
that employees of Public Sector Undertakings and their technicians --
responsible for manufacturing the EVMs—were a “huge potential source of
fraud,'' even if the ECI had ruled out any form of insider threat. Further,
he said, a large number of private players were involved in election
operations including manufacturers, their agents, vendors of foreign
companies, government officials and so on. ...


Jeff Burbank: License to Steal

Peter G Neumann <risko@csl.sri.com>
Wed, 11 Aug 2010 13:34:21 PDT

The second day (10 Aug) of EVT/WOTE 2010 began with Jeff Burbank (author of
License to Steal, Nevada's Gaming Control System in the Megaresort Age,
University of Nevada Press, 2005), who gave a superb talk on insider misuse
in the gambling industry and state oversight.  The video is not on the
USENIX website (although most of the other presentations are).  Perhaps you
have to read the book, which contains much of the material presented in
Jeff's talk.


BC Online Casino taken offline within hours

Kelly Bert Manning
Sun, 8 Aug 2010 13:12:52 -0400 (EDT)

The British Columbia Lottery recently rolled out a new online Gambling web
application, then had to pull the plug within hours.  No date for reopening
has been announced.

Apart from slow online response during the brief time it was online reports
state that BCLC let users gamble with money from other users accounts and
exposed user's personal information to other users.

http://www.theprovince.com/technology/Privacy+commissioner+orders+shutdown+BCLC+online+gambling+site+until+glitches+fixed/3329791/story.html

To deal with the social downside of gambling addiction BCLC had recently
imposed a $9,999 limit on monthly loses and betting.  By coincidence that is
just under the $10,000 limit for Federal FINTRAC reporting of large gambling
transactions.

BCLC's month was made even worse when the Federal FINTRAC agency announced
$670,000 in fines against BCLC for alleged repeated failure to comply with
reporting requirements.
http://www.globaltvbc.com/world/BCLC+only+provincial+gambling+body+fined/3309328/story.html

BC's gambling addiction goes quite deep.

The party currently in power originally reduced the opposition to just seats
in the house, after the former Premier resigned in disgrace. Among other
issues in that debacle was "Casinogate" which involved the Minister
appointed by the former Premier intervening to approve a Casino Licence for
a hotel controlled by a motorcyle gang.

On the Bricks and Mortar side of the "business" BCLC let a gambling addict
continue to bet despite the addict's request to be banned. The request was
honored when the addict tried to collect a win, but was ignored his request
while he was losing money.

http://toronto.ctv.ca/servlet/an/local/CTVNews/20100728/bc-gambler-casino-100728?hub=Toronto

Gambling boosters claim that people will gamble anyway, so why not offer a
legal alternative?

Hasn't the USA had some success at charging and arresting companies which
process charge card transactions for illegal gambling websites?

My personal take is that anyone silly enough to pay to use an illegal online
gambling web service is also silly enough to think the game isn't rigged.
We have seem reports of rigged server code for gambling websites.


Crooks Crack Check Image Sites, Steal $9 Million - The Consumerist

Dave Farber <dave@farber.net>
Mon, 2 Aug 2010 19:38:40 -0400

http://consumerist.com/2010/08/crook-crack-check-image-sites.html

Ben Popken, Crooks Crack Check Image Sites, Steal $9 Million, 2 Aug 2010
(Davide Restivo)

Know how when you go into your online checking account you can click on
checks that you've written and see the scanned image of them? Well, those
pictures have to be stored somewhere, and they're not always secure. Russian
crooks broke into three sites that store archival check images, stole the
information, and wrote over $9 million in phony checks against over 1,200
accounts.

In order to keep the money, though, the crooks have to recruit "money mules"
through online job posting sites to unwittingly launder the checks and send
the thieves money from their own accounts, as we talked about recently in
"Watch A Money Mule Scam Unfold."

The security research firm that discovered the breach said that they've
notified the affected sites who have since sealed up the gaps, but the scam
is still operating and targeting other image archival companies.

Hm, what's the digital equivalent of the phrase, "hanging paper?"


iPhone jailbreak opens world of questions

Raj Mathur <raju@linux-delhi.org>
Fri, 6 Aug 2010 09:30:23 +0530

The recently-announced Apple iPhone jailbreak:
  http://blog.iphone-dev.org/post/890709355/the-return-of-jailbreakme-com
is much more serious than a quick scan would suggest.  For one, the
jailbreak requires no confirmation from the user: just downloading and
viewing a (small) PDF is enough to bypass all the iPhone's security and
install code at the system level.

This is also probably the first time that known vulnerabilities in a system
have been amalgamated into a user-level package meant specifically for the
purpose of bypassing restrictions in the system.  While this seems like good
news for iPhone owners, it also means that anyone can exploit the same
vulnerabilities in the same fashion to his/her own malicious ends.
Specifically, there is nothing stopping you or I from creating an equivalent
PDF that installs malware into an iPhone.

So was Apple unaware of these vulnerabilities?  That would reek of terminal
ignorance.  Assuming then that they were aware, what steps did they take to
warn customers and provide upgrades to mitigate these issues?  Or did they
deliberately ignore the potential risks to their customers so that
jailbreaks would be possible and people would continue buying iPhones?
While the last may seem far-fetched, it is true that means of jailbreaking
iPhones are in Apple's interests from a pure numbers point of view.

At a larger level, are we going to see new botnets comprised of well-
connected, high-power mobile devices?  I'm trying to picture a scenario
where existing PCs and mobile devices coalesce into creating super- powered
networks capable of attacking, spamming and warring over multiple media.
Time to hand over to the science-fiction writers, I guess.

Raj Mathur  raju@kandalaya.org  http://kandalaya.org/


Muni gets time wrong; 510 drivers get a ticket

Paul Saffo <paul@saffo.com>
Thu, 12 Aug 2010 12:32:28 -0700

*San Francisco Chronicle*
http://www.sfgate.com/cgi-bin/blogs/scavenger/detail?entry_id=3D69967

When it comes to parking tickets, timing is everything, as ABC7's Dan Noyes
discovered.  Under San Francisco's program to catch traffic scofflaws, some
Muni buses have been mounted with front-facing video cameras to record cars
that are illegally parked in transit-only lanes. The problem is, the camera
clocks were not adjusted for daylight saving time in March and were off an
hour—an important detail for people like George Chen. The San Francisco
smoke shop owner who has permission to park in a loading zone claims he
moved his car in time. Still, the City slapped him with an $85 ticket.

Turns out the time was wrong on cameras for 17 buses, a problem that wasn't
discovered until the end of the June. More than 500 drivers were erroneously
ticketed, said Noyes. Now, it looks like those folks are entitled to a
refund by the Municipal Transportation Agency. Here's a list of erroneous
citations with license plate numbers.

Aileen Yoo, 12 Aug 2010
http://www.sfgate.com/cgi-bin/blogs/scavenger/detail?entry_id=69967#ixzz=0wQD8vXQh


No fail-safe linkage? 12-year-old paralyzed by ride

Peter G Neumann <neumann@csl.sri.com>
Thu, 5 Aug 2010 18:11:56 -0700

  Operator of Dells ride that injured girl faces felony
  [This was reported by several people.  PGN]

  "He made a mistake, ... He fully cooperated with the investigation You
  don't do anything criminally wrong and they issue a felony charge and they
  arrest you. A mistake is not a crime, so they didn't need to arrest him. I
  respectfully disagree with the issue as a criminal charge in the case
  where they've shown neglect and nothing more."

  http://tinyurl.com/253jnlt  (host.madison.com)

This was an inevitable accident.  What's amazing is that it took eight years
to happen.  What's lucky is that the first accident wasn't a death.

http://abcnews.go.com/US/florida-teen-critical-condition-100-foot-fall-terminal/story?id=11326023#


Cutoff of YouTube in Siberia due to a single video

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Aug 2010 15:54:16 -0700

Cutoff of YouTube in Siberia due to a single video
http://bit.ly/cKjiUf  (Google European Public Policy Blog)
  [From Network Neutrality Squad]


Mac_OS_X_Mail_parental_controls_vulnerability: Something_better_to_do?

"Jonathan Kamens" <jik@kamens.us>
Tue, 3 Aug 2010 11:04:17 -0400

The parental controls built into the Mac OS X Mail client can be easily
bypassed by anyone who knows the email address of the child and his/her
parent. The Mail client can be fooled into adding any address to the child's
whitelist (i.e., the list of addresses with whom the child is allowed to
correspond), as if the parent had approved the address, without his/her
knowledge or consent. This vulnerability can be taken advantage of by the
child or by any third party anywhere on the Internet.

I have reported this vulnerability to Apple, and they have declined to
assign a CVE ID for it, disclose it to the public, or indicate a time-line
for when it will be disclosed or fixed.

For more information:
http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerability/


Stalkers Exploit Cellphone GPS

Monty Solomon <monty@roscom.com>
Fri, 6 Aug 2010 16:33:54 -0400

Justin Scheck, What They Know: Stalkers Exploit Cellphone GPS,
*Wall Street Journal*, 3 Aug 2010

Phone companies know where their customers' cellphones are, often within a
radius of less than 100 feet. That tracking technology has rescued lost
drivers, helped authorities find kidnap victims and let parents keep tabs on
their kids.

But the technology isn't always used the way the phone company intends.  One
morning last summer, Glenn Helwig threw his then-wife to the floor of their
bedroom in Corpus Christi, Texas, she alleged in police reports. She packed
her 1995 Hyundai and drove to a friend's home, she recalled recently. She
didn't expect him to find her.  The day after she arrived, she says, her
husband "all of a sudden showed up." According to police reports, he barged
in and knocked her to the floor, then took off with her car.

The police say in a report that Mr. Helwig found his wife using a service
offered by his cellular carrier, which enabled him to follow her movements
through the global-positioning-system chip contained in her cellphone. ...

http://online.wsj.com/article/SB10001424052748703467304575383522318244234.html


Body scans (Mike M. Ahlers)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 9 Aug 2010 11:02:41 PDT

http://www.latimes.com/business/la-fi-travel-briefcase-20100809,0,7868968.story
http://www.cnn.com/2010/US/08/04/marshals.body.images/

Mike M. Ahlers, Agency stored body images from Florida courthouse, CNN,
4 Aug 2010

* The Marshals Service used millimeter wave technology to collect images
* The images were of people entering a federal courthouse in Orlando, Florida
* A sampling of the ghost-like images was obtained under the
  Freedom of Information Act
* The Marshals Service says the images were never accessed before  the request

The U.S. Marshals Service is confirming that it has stored more than 35,000
"whole body" images of people who had entered a U.S. courthouse in Orlando,
Florida.  The images captured by millimeter wave technology are more
ghost-like and far less detailed than those produced by "backscatter"
machines commonly used by the Transportation Security Administration at
airports nationwide.

But the Electronic Privacy Information Center, a privacy rights group that
obtained the Marshals Service photos, said the disclosure shows that body
imaging machines can store intrusive images of people's bodies and that the
federal government will store images in the absence of strong judicial or
legislative restraints.  EPIC and other privacy groups filed suit against
the TSA this year, asking the court to bar it from using body imagers at
airports.

In a letter to EPIC, Justice Department attorneys agreed to give 100 images
of the approximately 35,314 images that were stored on the Orlando
courthouse machine from February 2 until July 28. It called the 100 images a
"representative sample" of stored images.

A U.S. Marshals Office spokeswoman said the Brijot Gen2 machine in Orlando
automatically stores the images to a hard drive, and security officers can
look at an image of the person who just entered the machine and the two
previous images. But all other images can only be accessed via an
administrative passcode, spokeswoman Carolyn Gwathmey said.  Gwathmey said
the stored images had never been accessed before the receipt of the Freedom
of Information Act request.

Marc Rotenberg of the Electronic Privacy Information Center conceded that
the Marshals Service's images are "not particularly revealing" but said this
experience highlights the necessity for prohibitions on government's use of
backscatter technology, which can capture far more revealing images by using
X-rays to provide detailed images in or under a person's clothing.  "The
only thing that is preventing the TSA from [storing images] is that we keep
raising this with them," Rotenberg said.

In written comments this year to CNN, the TSA said images at airports
"cannot be stored, transmitted or printed" when in normal operations.

"TSA has clearly demonstrated the extensive steps and strict measures that
have been taken to protect passenger privacy," the agency said.

The images released to the Electronic Privacy Information Center were
captured by a machine at the Middle District of Florida in the Orlando
courthouse. The Marshals Service also tested a machine at a U.S. courthouse
in Washington for about 90 days in the 2007 and 2008 time frame, Gwathmey
said. During the test, the machine was not used to screen individuals
entering the courthouse, she said.

That machine was returned to the vendor, and any images that may have been
stored on it are no longer under agency control, the Justice Department
said.

[See also CNET.  PGN]
  http://news.cnet.com/8301-31921_3-20012583-281.html?tag=mncol;title


New law bans texting while driving

Monty Solomon <monty@roscom.com>
Wed, 4 Aug 2010 09:18:59 -0400

[Mass.] Governor Patrick Signs Safe Driving Legislation, 02 Jul 2010

New law bans texting while driving for all drivers and cell phone-use
by junior operators; Massachusetts one of 29 states to prohibit
Dangerous behavior behind the wheel
http://www.mass.gov/?pageID=gov3pressrelease&L=1&L0=Home&sid=Agov3&b=pressrelease&f=100702_Safe_Driving_Legislation&csid=Agov3

An Act relative to safe driving.
http://www.mass.gov/legis/bills/house/186/ht04/ht04795.htm


Re: BP: "Will no one rid me of this turbulent alarm?"

Steven Bellovin <smb@cs.columbia.edu>
Sun, 8 Aug 2010 11:50:37 -0400

The obvious question, of course, is "why didn't you fix the underlying
problem with the alarm?"  Of course, that can itself be a difficult
business, which raises a separate question: why not have the alarms sound
only in the control room, where the watch stander can evaluate the problem
and sound the rig-wide alarm if something is actually wrong?  My guess is
that that isn't possible.  It may be a deliberate design choice—you want
alarms to warn people even if the watchstander has to leave the room—but
it may be an issue of over-automation.

Some years ago, on an overnight flight, I had a chance to ask the pilot why
he left the seatbelt sign illuminated all night, when the flight was quite
smooth.  The answer was over-automation: the way the plane was designed,
every time he turned it on, a chime sounded and an automated PA system
message warned the passengers.  This meant that even modest turbulence would
result in passengers being awakened.  He didn't like the system, but it
wasn't possible for him to turn if off—some designer, somewhere, felt
that it was better to relieve the pilot of the extra work of sounding the
chime and making an announcement, without really understanding the actual
usage model.


WSJ: What Do Online Advertisers Know About You?

Monty Solomon <monty@roscom.com>
Fri, 6 Aug 2010 16:26:51 -0400

Tim Jones, *Wall Street Journal*, 4 Aug 2010

In a groundbreaking new series titled "What They Know," the *Wall Street
Journal* is taking a close look at the information that online advertisers
collect about you as you browse the Web: "The tracking files represent the
leading edge of a lightly regulated, emerging industry of data-gatherers who
are in effect establishing a new business model for the Internet: one based
on intensive surveillance of people to sell data about, and predictions of,
their interests and activities, in real time."  What the industry knows
about you may surprise you. The articles examine the world of tracking
cookies, and other less well-known tracking technologies like flash cookies
and beacons. They found that "the nation's 50 top websites on average
installed 64 pieces of tracking technology onto the computers of visitors,
usually with no warning."

Using information gathered this way, the advertising industry is able to
accurately guess substantial information about you - often including your
gender, age, income, marital status, credit-rating, and whether you have
children or own a home. The findings are used not only to determine what
advertisements you see, but sometimes to decide what kind of discounts or
credit card offers you're allowed access to. ...
  https://www.eff.org/deeplinks/2010/08/what-they-know

What They Know:
  http://online.wsj.com/wtk

Online Behavioral Tracking:
  http://www.eff.org/issues/online-behavioral-tracking


Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11)

ishikawa <ishikawa@yk.rim.or.jp>
Tue, 03 Aug 2010 15:26:33 +0900

>  [And what if you are deaf?  PGN]

Prompted by the quite electric car's noted problem in Japan, especially so
for the visually-challenged people, some are experimenting with embedding
active RFID tag in the car and let the pedestrians such as blind people
carrying the detector to learn of the approaching cars by means of RFID. The
detecting device warns of the approaching car using sound warning.

I think the same mechanism can then be used for the deaf by using the
detector to cause some kind of vibration motion depending on the direction
of approaching vehicle, etc.

The cost of having an active tag in each car and the
detecting device carried by the handicapped may not be small. It should be
born by the society as a whole IMHO.


Re: Risks of free-text fields in medical records (Goldberg, R-26.13)

Thor Lancelot Simon
Tue, 3 Aug 2010 02:11:15 +0000 (UTC)

>With auto-complete fields, typing the beginning of a drug name can trigger a
>pop-up of MANY drugs with the same root, where careless clicking selects the
>wrong one, a common problem with Windows' auto-complete function.

I have never understood why such software does not make the prescriber
select *both* the generic and a trade name for each medication and confirm
that they match.  It seems to me this would basically eliminate such errors.

For example: I am allergic to Voltaren (diclofenac), an anti-inflammatory
drug.  I have more than once found that my medical records contain the false
information that I am allergic to Vytorin (ezetimbe).  I cannot imagine, if
the provider had to select both names with no prompting, this error would
ever happen.

>Similarly, a pull-down field for dosage can lead to careless selection of an
>incorrect value, a common problem with Windows' pull-down selection
>function.

This would be trivially remedied by requiring the dosage to be pulled-down
*and* typed in, and, again, matching values.  For IV drugs, the simplest
cross-check is probably to force the provider to confirm how many minutes
or hours one standard-size bag will last.

PGN writes:

>  [This is one of those issues in which both arguments are partially
>  correct.  Fixed fields are risky with poorly defined, overlapping,
>  or otherwise confusing.   Free-text fields have many other risks.
>  The risks question is much deeper than that dichotomy.  PGN]

But I think it is wrong to highlight only the _risks_ of free-text fields.
Used to confirm what is selected from menus, it seems to me they offer a
considerable opportunity for risk reduction.

Please report problems with the web pages to the maintainer

Top