The RISKS Digest
Volume 26 Issue 46

Saturday, 4th June 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Ash clouds: No Man is an Island
Der Spiegel
Another role for provers?
Martyn Thomas
Diebold employee accused of loading fake money into ATM machines
Henry K Lee
Russian Company Cracks IOS 4 Hardware Encryption
John E. Dunn via Steve Goldstein
Lockheed Martin: Uh-Oh!
Randall Webmail
Updated rogue AV installs on Macs without password
Elinor Mills via Monty Solomon
Sour Cookies in the UK
Gene Wirchenko
Skype is reportedly reverse-engineered: Skype threatens to crush open-source versions
Lauren Weinstein
Excerpted items from Lauren Weinstein's Network Neutrality Squad
Graffiti meets YouTube
Rob Slade
On the risks of an incompletely implemented idea
Jon Seymour
Left hand doesn't talk to right hand
Rick Gee
Study Sees Way to Win Spam Fight
John Markoff via Monty Solomon
Virtual slave labor in China
Mark Thorson
Different banks' ATMs have different masking policies
'A Google Oddity' in the echoes of Y2K
Joe Loughry
Re: "Automatic Updates" considered Zombieware
Steve Loughran
Re: Car Talk and Talk and...
Steve Loughran
Peter Houppermans
Re: You must enable javascript to view this page
Joseph Brennan
Re: REVIEW: "The Black Swan", Nassim Nicholas Taleb
Stephen Bounds
Info on RISKS (comp.risks)

Ash clouds: No Man is an Island

"Peter G. Neumann" <>
Wed, 25 May 2011 10:21:34 PDT

Ash Cloud Caused Flight Disruption in Germany (Der Spiegel Online)

Hundreds of flights were canceled in Germany and tens of thousands of
passengers were forced to change their travel plans on Wednesday after the
ash cloud from an Icelandic volcano shut the airports of Berlin, Hamburg and
Bremen.      [as well as in Ireland and Britain, ... ],1518,764795,00.html

Another role for provers?

Martyn Thomas <>
Wed, 01 Jun 2011 08:41:08 +0100

The complexity of an esoteric Hong Kong financial instrument has come back
to haunt Goldman Sachs after an simple typographical slip threatened to cost
it HK$350m (27m UK pounds).

The error appeared in the small print of a phone book-sized prospectus
accompanying the issue in February of four so-called "exchange-traded
warrants" which offered exposure to Japan's Nikkei index of leading shares.

In a formula to calculate the value of the warrants a multiplication symbol
appeared where their should have been a division.

The potentially costly error appeared in the bank's paperwork despite it
having been scrutinised and approved by the Hong Kong stock exchange.  Such
warrants are hugely popular in Hong Kong, with 14,400 similar products said
to have been issued last year by large investment banks.

It was not until the end of March—almost seven weeks after the warrants
had been issued—that a lawyer from Goldman reported the mistake to the
stock exchange. For almost two hours the price of warrants began to soar
until trading was suspended at the bank's request.

Goldman has offered to buy back warrants at a 10% premium, an offer accepted
by 75% of holders. However, a hard core of large investors believe they are
contractually entitled to considerably more. One told the Economist magazine
the bank's offer was worth HK$10m, whereas a strict application of the
formula suggested the warrants could be worth $350m.
(final paragraphs).

Diebold employee accused of loading fake money into ATM machines

"Peter G. Neumann" <>
Tue, 31 May 2011 19:05:08 PDT

Henry K. Lee at, ATM repairman accused of loading fake
money, *San Francisco Chronicle*, 26 May 2011

An employee of an ATM servicing company has been charged with swapping
$200,000 in fake bills for real cash at machines in Daly City and San
Francisco.  Samuel Kioskli, 64, of San Francisco was wanted on a warrant
when he was arrested during a routine traffic stop in Phoenix on May 11, 10
months after the thefts.  Kioskli was an employee of Diebold, which services
ATMs for Bank of America.  On 4 July 2010, Kioskli went to six bank branches
in San Francisco and one in Daly City and stole about $200,000 by replacing
cash in the machine trays with counterfeit or photocopied $20 bills,

Kioskli used his work card key to access the ATMs and was captured on video
at all seven locations.  The next day, Kioskli "abandoned his wife and
disappeared."  His wife reported him missing, and angry Bank of America
customers contacted the bank to complain about the fake money.  He pleaded
not guilty in San Mateo County Superior Court to charges of burglary,
embezzlement, forgery and possession of counterfeiting apparatus. He is
being held in lieu of $25,000 bail.  He faces similar charges in San

Russian Company Cracks IOS 4 Hardware Encryption

Steve Goldstein <>
May 25, 2011 8:57:32 AM PDT

[Note:  This item comes from Dewayne Hendricks via Dave Farber's IP.]

John E. Dunn, IDG-News-Service, London-bureau, 25 May 2011

Having cracked Apple iPhone backups last year, Russian security company
ElcomSoft appears to have found a reliable way to beat the layered
encryption system used to secure data held on the smartphone itself.

Since the advent of iOS 4 in June 2010, Apple has been able to secure data
on compatible devices using a hardware encryption system called Data
Protection, which stores a user's passcode key on an internal chip using
256-bit AES encryption. Adding to this, each file stored on an iOS device is
secured with an individual key computed from the device's Unique ID (UID).

Apple products containing this security design include all devices from 2009
onwards, including the iPhone 3GS (which can be upgraded to iOS 4), iPhone
4, iPad, iPad 2 and recent iPod Touch models.

ElcomSoft has not explained how it hacked the hardware-stored key system in
detail for commercial reasons, but the first point of attack appears to have
been the user system passcode itself as all other keys are only vulnerable
to attack once the device is in an unlocked state.

The company said it had been aided by subtle weaknesses in the security
architecture used by Apple, starting with the default passcode length of 4
digits. This yields only 10,000 possible number variations, which the
company said most users would likely use to secure their devices without

The only limitation in breaking this key using a brute-force attack was the
need to run through the possible combinations on the iPhone or iOS device
itself, which took between 10 and 40 minutes, far longer than would have
been the case using a desktop PC.

Lockheed Martin: Uh-Oh!

Randall Webmail <>
May 27, 2011 9:56:34 PM EDT

  [From Dave Farber's IP distribution.  PGN]

Reuters is reporting that unknown hackers have broken into the networks of
Lockheed Martin and other major defense contractors and may have gained
access to sensitive information on present and future weapons systems.

Reuters had reported earlier on Friday that "Lockheed Martin, the Pentagon's
No. 1 supplier, is experiencing a major disruption to its computer systems
that could be related to a problem with network security." The disruption
began last Sunday, when security experts detected an intrusion.

According to an anonymous source with knowledge of the attacks, the hackers
used data stolen in March from the RSA security division of EMC Corp. to
duplicate security keys which gave them access to the networks.  [SNIP]

Updated rogue AV installs on Macs without password (Elinor Mills)

Monty Solomon <>
Wed, 25 May 2011 22:34:26 -0400

A new version of rogue antivirus malware that targets the Macintosh
operating system does not need victims to type in their administrator
passwords to install and infect the machine.  The latest version of the
malware has been overhauled to look like a native Mac OS X application and
is using the application name MacGuard, according to an Intego blog
post. But particularly concerning is the fact that unlike previous versions,
which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard
installs itself without prompting for the admin password.
[Source: Elinor Mills, CNET, 25 May 2011]

How bad is the Mac malware scare? (FAQ)

How to remove MacDefender fake antivirus program

Securing your Mac from the new MacGuard malware variant

How to avoid or remove Mac Defender malware

Sour Cookies in the UK

Gene Wirchenko <>
Tue, 31 May 2011 11:27:09 -0700

Nearly all UK business websites now technically illegal (EU sites to follow)
31 May 2011

On 26 May 2011, the rules on the use of cookies changed for UK businesses.
You now have to explicitly ask every visitor to your website if they want to
opt-in to `non-essential' cookies.  This includes tracking and analytics
cookies. The penalty for not doing so is a fine of up to 500,000 pounds.

The situation remains fluid at present. The introduction of this new law has
been so shambolic that the UK government is giving businesses 12 months
grace before they start enforcing it. I don't even know if the ruling
applies to businesses based in the UK, web servers based in the UK or any
website with UK visitors (if you do know, please comment below).  Perhaps
Google et al will dream up a technical solution that keeps the EU happy
without me having to make any changes to my website. Maybe pressure from
businesses will force the government to back down. Perhaps someone will find
a loophole (e.g. setting up a company outside the EU to host your
website). Or maybe so many businesses will ignore this ridiculous law that
it will be unenforceable. I am going to wait a few months to see how things
play out.

This change in the law comes from an EU directive, so any of you reading
this in EU countries other than the UK can stop smirking—it is coming
your way as well.

Skype is reportedly reverse-engineered: Skype threatens to crush open-source versions

Lauren Weinstein <>
Sat, 4 Jun 2011 09:33:40 -0700  (phoronix)

"Yesterday we reported on a freelance researcher reverse-engineering the
Skype protocol and beginning to write open-source code that would work with
this popular VoIP network. A representative of Skype has now contacted
Phoronix to inform us they will be taking "all necessary steps" to stop this

 - - -

A quote from Skype (whose new master is Microsoft, let's remember) is quite

  "This unauthorized use of our application for malicious activities like
  spamming/phishing infringes on Skype's intellectual property. We are
  taking all necessary steps to prevent/defeat nefarious attempts to subvert
  Skype's experience. Skype takes its users' safety and security seriously
  and we work tirelessly to ensure each individual has the best possible

Taking a play from other opponents of free speech and open source, we see
Skype attempting to immediately associate open source compatibility efforts
with criminal activities such as spamming/phishing ("safety and security").
I particularly enjoyed the use of the word "nefarious" in the quote, which
is one of my favorite lexemes for invoking "Snidely Whiplash" bad-guy
imagery.  +1 (818) 225-2800 / Skype:
People For Internet Responsibility:
Network Neutrality Squad:

Excerpted items from Lauren Weinstein's Network Neutrality Squad

"Peter G. Neumann" <>
Fri, 3 Jun 2011 11:19:05 PDT

  [Lauren has had a lot of RISKS-worthy items lately on his Network
  Neutrality Squad: .  Here are a few summarized,
  encouraging you to check out his analyses that are omitted here.  PGN]

Skype reportedly reverse-engineered: Skype threatens to crush open-source
versions (This message on Google Buzz)

Pentagon says black-hat hacking can be an act of war (with LW's analysis)  (This message on Google Buzz)  (WSJ)

  The Pentagon has concluded that computer sabotage coming from another
  country can constitute an act of war, a finding that for the first time
  opens the door for the U.S. to respond using traditional military force
  ... Pentagon officials believe the most-sophisticated computer attacks
  require the resources of a government. For instance, the weapons used in a
  major technological assault, such as taking down a power grid, would
  likely have been developed with state support, Pentagon officials say."

State lawmakers write law so badly it could criminalize casual password
sharing among friends or relatives.  (Huffington)

New Scientist: New media laws could mean jail for ordinary users  (New Scientist)

Virtually all Syria access to Google services appears to have been disrupted  (Google Transparency Report)

Why PROTECT IP Web Censorship Will Fail - But Lead to Much Worse

Twitter exposes British user in court "privacy" vendetta (with LW's analysis)

  "The social network has passed the name, e-mail address and telephone
  number of a south Tyneside councillor accused of libeling the local
  authority via a series of anonymous Twitter accounts. South Tyneside
  council took the legal fight to the superior court of California, which
  ordered Twitter, based in San Francisco, to hand over the user's private
  details.  It is believed to be the first time Twitter has bowed to legal
  pressure to identify anonymous users and comes amid a huge row over
  privacy and free speech online." (This message on
  Google Buzz) (UK Guardian)

Graffiti meets YouTube

Rob Slade <>
Thu, 26 May 2011 10:02:37 -0800

A company called Autonomy, which has been selling image search technology,
has launched an apparently freely available (open?) project called Aurasma.
At the moment only available on iPhone 4, this allows you to "augment" the
reality (that the mobile device sees) by adding video to overlay it.

In the article, the reporter/commentator opines that this is a cute trick,
but only that.  I'm going to go out on a limb and predict that this
assessment is short- sighted (albeit only if the technology expands to other
platforms).  Given that YouTube users are uploading 48 hours of video to the
site every minute of the day, I suspect that the ability to create video
graffiti, and "tag" it to any vista, location, or object, will be

Apparently the company thinks this will be a platform that companies will
use to create ads, to promote their products or shops at related locations.
They probably will.  However, myriad users will be creating other content,
for the same images, and we will have SEO (Search Engine Optimization)
battles that will make the malware and phishing sites we see now pale in
comparison.  The Tokyo Chamber of Commerce or tourism board may wish to
overlay video over certain landscapes or landmarks, but how will they stand
up against thousands of geeks who've all seen Godzilla?

On the risks of an incompletely implemented idea

Jon Seymour <>
Wed, 25 May 2011 19:54:57 +1000 is a website dedicated to an idea.

That idea is that resources of worth should be named with persistent
URLs. So, even if the host of a resource changes overtime, the resource
itself can be located by its long-lived, persistent URL.

To this end, has long maintained a database of such URLs.

The way it works is that you register with the site, create a subdomain of
the URL namespace and register URLs in that subdomain and define
associated redirects that point to the actual resource. People who ask for a
resource via its persistent URL are redirected to the website that currently
hosts the resource. If the location of a resource ever changes, the
maintainer of the URL can update the redirect and consumers of the URL are
unaffected by the relocation of the resource.

Nice idea, except that there is a problem.  The site:

 * does not have a password reset feature for maintainer accounts
 * does not document how to reset the password
 * does not respond to e-mails with questions about how to reset
   such passwords
 * doesn't obviously have a mechanism to recover URL space from
   maintainers who die


We have an organisation that has dedicated its entire existence to the idea
that PURLs should be long lived and persistent, but fails to deal with the
problem of a URL maintainer forgetting a password or dying before revealing
the password.

Without a strategy for dealing with such possibilities, what is the point of

Left hand doesn't talk to right hand

Rick Gee <>
Thu, 26 May 2011 13:27:26 -0700

Recently I logged on the City of Kelowna (BC, Canada) website to claim the
home owner grant against my property taxes. The login asks for the Roll
Number and an Access Code, both provided on the tax statement, received via

My Roll Number is five digits followed by a period followed by three
digits. When you enter it that way, you receive an error message, rebuking
you for entering the period. There is no indication on the login screen that
the period must not be entered. Of course, the script handling the login
could remove it, but that might be too simple.

The truly wonderful part of the story is that, once you have logged in, everywhere the Roll Number is shown, the period is included.

Rick Gee, Computer Science department, Okanagan College, Kelowna, BC  250 762 5445 local 4634

Study Sees Way to Win Spam Fight (John Markoff)

Monty Solomon <>
Sun, 29 May 2011 18:51:57 -0400

John Markoff, 19 May 2011, *The New York Times*, 19 May 2011

For years, a team of computer scientists at two University of California
campuses has been looking deeply into the nature of spam, the billions of
unwanted e-mail messages generated by networks of zombie computers
controlled by the rogue programs called botnets.  They even coined a term,
"spamalytics," to describe their work.

Now they have concluded an experiment that is not for the faint of heart:
for three months they set out to receive all the spam they could (no
quarantines or filters need apply), then systematically made purchases from
the Web sites advertised in the messages.

The hope, the scientists said, was to find a "choke point" that could
greatly reduce the flow of spam. And in a paper to be presented on Tuesday
at the annual IEEE Symposium on Security and Privacy in Oakland, Calif.,
they will report that they think they have found it.

It turned out that 95 percent of the credit card transactions for the
spam-advertised drugs and herbal remedies they bought were handled by just
three financial companies - one based in Azerbaijan, one in Denmark and one
in Nevis, in the West Indies.

The researchers looked at nearly a billion messages and spent several
thousand dollars on about 120 purchases. No single purchase was more than
$277.  [Nick Weaver presented their paper at the IEEE Symposium on Security
and Privacy in May 2011.  PGN]

Virtual slave labor in China

Mark Thorson <>
Sat, 28 May 2011 11:29:37 -0700

Article alleges prison labor is forced to earn virtual gold in World of
Warcraft, which is then sold for real money, a practice called "gold

The risk is creating a virtual world with such value that it affects the
real world.  The article claims that the trade in virtual gold is outside
the control of the proprietors of World of Warcraft, but how can that be
possible?  They control every aspect of their virtual world.  If they don't
control it, it is because they have decided not to control it.

Different banks' ATMs have different masking policies

Fri, 03 Jun 2011 13:05:07 +0800

Different banks' ATMs have different masking policies. So you guessed it,
looking at just a couple of a pocketful of VISA(tm) Cash Advance receipts,
435117851*8*2*8* HUA NAN COMM'L TAIPEI
435117******2188 TAIPEI FUBON B TAIPEI
435117851187**** TAIWAN COOPERA TAIPEI
even a five-year old can figure out the card number.

'A Google Oddity' in the echoes of Y2K

Joe Loughry <>
Mon, 16 May 2011 22:56:58 +0100

The chemistry blog 'In the Pipeline' on 16th May 2011 pointed out an interesting higher-order
effect possibly attributable to Y2K errors:

'...if you search the word "biotechnology" in Google's Ngram search engine,
something odd happens. There's the expected rise in the 1970s and 80s, but
there's also a bump in the early 1900s, for no apparent reason. Curious
about this, I ran several other high-tech phrases through and found the
exact same effect.

'Here's a good example, with some modern physics phrases. And you get the
same thing if you search "nanotechnology", "ribosome", "atomic force
microscope", "RNA interference", "laser", "gene transfer", "mass
spectrometer" or "nuclear magnetic resonance". There's always a jump back in
exactly the same period on the early 1900s.'

The brief fashion amongst Victorians for writing articles about string
theory and dark matter could be the result of '1999 + 1 = 1900'.  Perhaps.
But how likely is that really, a decade past Y2K?  Is it not more plausible
that today's students remain unaware of results in dusty journals on library
stacks that are not easily available on-line yet?

The Higgs boson was found was in Prague in 1925.  It just hasn't got through
peer review yet.


Joe Loughry, Doctoral student, Computing Laboratory, St Cross College, Oxford

Re: "Automatic Updates" considered Zombieware

Steve Loughran <>
Wed, 25 May 2011 10:38:47 +0100

Henry Baker complains about the amount of network traffic dedicated to
downloading background updates.

Consider this
1. Every program that is capable of parsing untrusted content from
   remote web sites is potentially vulnerable to exploits of parser
   errors or other security holes.
2. Every program that can open files downloaded from web sites is
   capable or parsing untrusted content.
3. By default, Internet Explorer, Firefox and other browsers will
   hand off remote content to the application that is registered to
   handle it, based on MIME type and file extension.
4. Therefore, every program that can open a file is potentially a
   security risk that has to be kept patched.

When you also add in function creep—especially in the Acroread family --
the vulnerability of applications increases. Who knew that Excel
spreadsheets could host Flash content with 0-day exploits until RSA got
owned that way?  Who knew that Acroread had JavaScript support until
exploits for it started appearing in the wild. Keeping every
Internet-connected application is essential—which means every application
you have installed. Yet neither Windows or OS/X has a service that allows
third party applications to keep themselves up to date; instead they must
install their own "updater" applications, which slow down system boot,
increase the memory footprint, and which don't collaborate to keep bandwidth
allocated to updates under control. At least on linux, the updater tools,
apt and yum, do keep everything up to date in one go, even if there is a
potential lag between a vendor-released patch and the new binaries getting
into the Linux repositories. But don't think the bandwidth used for Linux
updates is any less—it's just that you can schedule your weekly update to
a time that suits you, not the programs.

Re: Car Talk and Talk and... (Joseph B. White)

Steve Loughran <>
Wed, 25 May 2011 10:24:07 +0100

The idea of having cars talk to each other or the infrastructure seems to
miss an important point: As of 2008 in the UK, the majority of people Killed
or Seriously Injured (KSI) are not actually in motor vehicles: they are
people on foot or bicycle [1]. While in a decade driving has become safer,
due to all the features added to cars, a side effect has been that per
passenger mile, walking and cycling has become more dangerous relative to
being in a car. Yet it is the people driving that are the primary sources of
death and (serious) injury.

Any feature in cars that allows drivers to pay less attention to the road
isn't going to increase road safety; it will become another risk
compensation feature, especially in cities: "now you can check in to
facebook while driving!"

Clearly car manufacturers would like to sell these features either in terms
of passenger safety, fuel economy and a way of introducing technical
obsolescence in vehicles that would otherwise last for many years, and
companies whose business models depend on people consuming data or voice
(telcos, web companies) would support it too. However it's not clear to me
how much it would improve safety compared to adding black-box systems to
cars; to log the actions prior to any collision, the state of the vehicle,
maybe even off-car data rates, videos from the car and neighbouring cars
after a collision event.  These may change people's behaviour better than
saying "don't worry about hitting anything, as the computer in your car will
look out for you".


Re: Car Talk and Talk and (26.45)

Peter Houppermans <>
Wed, 25 May 2011 08:27:53 +0200

Regarding "Car Talk and Talk and.." (Joseph B. White via Eli the
Bearded) - RISKS 26.45

There are indeed a number of issues I would like to see worked out first.  A
small selection:

* Who is liable when I'm not really in charge of my car and an accident
  occurs?  These systems can have a better reaction time than a human being,
  but they "cannat change the laaw of physics" (apologies for my poor
  rendering of an irreplaceable Scottish accent).

* The better reaction time will give indeed an adoption cycle problem,
  similar to what took place with early ABS systems: your equipped car may
  manage a panic stop, but the likelihood of being rear-ended by a
  non-equipped car is very high (been there..).

* Not a word on fighting external influences.  Car connectivity is already
  giving rise to concerns as it provides a gateway to onboard electronics
  (which presently appear to have somewhere between poor to no defense at
  all against "creative engineering").  It's just over a year ago that a
  research team found they could hack into a car on remote, and gain so much
  control over the onboard electronics that they could disable the
  breaks(*).  That's a really fun virus to spread in a chain of cars that
  follow each other to minimise wind resistance.

* Speaking of wind resistance - this will need some algorithm to change the
  front end car which is taking the economy hit for being up front.  Indeed,
  I can see some home hacks which may stop a car from chaining if it is
  upfront, leaving others to pick up the bill..

Et cetera ad infinitum - the above was without even coffee in my system, so
a dedicated research team or someone with malicious intent will most
certainly come up with more..

2012: A *car* Odyssey?


Re: You must enable javascript to view this page (jidanni, R 26 45)

Joseph Brennan <>
Thu, 26 May 2011 09:43:13 -0400

> You must enable javascript to view this page. This is a requirement of
> our licensing agreement with music Gracenote.

Besides that, lynx lists an incredible 218 links on that page, most of which
are not visible in Firefox.  I pasted into Firefox one of the links of the
form '' and it gave me write access to
the user's profile, blog, favorite pages, pages the user is following, and

Re: REVIEW: "The Black Swan", Nassim Nicholas Taleb

"Stephen Bounds" <>
Wed, 25 May 2011 01:44:26 +0000

I actually think Taleb's "Fooled by Randomness" is a better book.  In my
opinion, it makes the case for being aware of "Extremistan's" power law
distributions much better.

Taleb does spend a long time to say not very much.  But I feel there are
three key lessons that all "RISKS" readers should learn:

1. Don't assume a Gaussian distribution ("Mediocristan") of event
   propensities in a given situation.  Try to check if in fact a power law
   distribution ("Extremistan") applies.

2. Recognise that people who wrongly assume Mediocristan will take
   inadequate mitigation steps, due to their false presumption that large
   deviations from the observed mean are vanishingly small.

3. Design your systems and processes to be resilient rather than protective.
   This will allow a rapid recovery from any event, even those you didn't

Please report problems with the web pages to the maintainer