The RISKS Digest
Volume 26 Issue 59

Sunday, 23rd October 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


China Bullet Trains Trip on Technology
NJ election cover-up
Andrew Appel via Monty Solomon
Gas bill climbed 13,000 pounds after correct online reading given
Gabe Goldberg
Robot editors strike again
Earl Boebert
Computer Virus Hits U.S. Drone Fleet
WiReD via Joly MacFie
BlackBerry Outage Linked to Massive Drop in Traffic Crashes
Brad Aaron
Re: Blackberry outage saves lives
Mark Thorson
Security Vulnerability In HTC Android Devices
Artem Russakovskii
Skype for iPhone makes stealing address books a snap
Dan Goodin
Massive HTC Android phone vulnerabilities reported
John P. Mello Jr. via Gene Wirchenko
AmEx 'debug mode left site wide open'
John Leyden via Monty Solomon
Air traffic control data found on eBayed network gear
John Leyden
Skype flaw allows BitTorrent users to be identified
Jeremy Kirk
Adobe flash design would let authorities order Adobe to turn on your mic/camera remotely
Steve Bellovin
FBI Official Calls for Secure, Alternate Internet
Lauren Weinstein
Researchers crack W3C encryption standard for XML
Lauren Weinstein
Better Business Bureau offers rogue script browser peril
Gabe Goldberg
Washington objects, OnStar reverses tracking policy
Re: United Airlines uses 11,000 iPads ...
John Stanley
ACSAC 2011 open for registration
Jeremy Epstein
Info on RISKS (comp.risks)

China Bullet Trains Trip on Technology (Areddy/Shirouzu)

"Peter G. Neumann" <>
Tue, 4 Oct 2011 17:25:15 PDT

James T. Areddy (Shanghai) and Norihiko Shirouzu (Beijing), *The Wall Street
Journal*, 3 Oct 2011; PGN-ed. Yang Jie in Shanghai and Yoli Zhang in Beijing
contributed to this article.,

The *WSJ* item is quite long.  I attempt to make a very long story and still
unresolved short: Hitachi used components in China's high-speed rail
signaling system that were delivered to them as black boxes from Hollysys
Automation Technologies Ltd., with no specs or details—to hinder reverse
engineering.  This clearly also hindered system testing, and seems likely to
have contributed to recent deadly crashes.

NJ election cover-up (Andrew Appel)

Monty Solomon <>
Wed, 28 Sep 2011 08:10:56 -0400

By Andrew Appel, Freedom to Tinker, 13 Sep 2011

During the June 2011 New Jersey primary election, something went wrong in
Cumberland County, which uses Sequoia AVC Advantage direct-recording
electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been
     effectively implemented.

  2. There is a reason to believe that New Jersey election officials have
     destroyed evidence in a pending court case, perhaps to cover up the
     noncompliance with these measures or to cover up irregularities in this
     election. There is enough evidence of a cover-up that a Superior Court
     judge has referred the matter to the State prosecutor's office.

  3. Like any DRE voting machine, the AVC Advantage is vulnerable to
     software-based vote stealing by replacing the internal vote-counting
     firmware. That kind of fraud probably did not occur in this case. But
     even without replacing the internal firmware, the AVC Advantage voting
     machine is vulnerable to the accidental or deliberate swapping of
     vote-totals between candidates. It is clear that the machine
     misreported votes in this election, and both technical and procedural
     safeguards proved ineffective to fully correct the error.

Did NJ election officials fail to respect court order to improve security of

Will the NJ Attorney General investigate the NJ Attorney General?

What happens when the printed ballot face doesn't match the electronic ballot definition?

Gas bill climbed 13,000 pounds after correct online reading given

Gabe Goldberg <>
Sat, 22 Oct 2011 23:23:40 -0400

*Register* Reader and Stockport dweller Rob was shocked to find that trying
to save his mother a few pounds on her gas bill ended up pushing the tab up
13,088.43 pounds, rather than down the 20 quid he was expecting.  It was the
unlikely result of entering a meter reading on Southern Electric's website.

We asked Southern Electric what went wrong. Turns out it is down to a weird
feature of their website which would put other customers looking to save a
few pounds at the same risk of being over-billed by ten thousand odd.

Instead of just taking the number down 23 and recalculating accordingly,
their bill-calculator programme went through into a whole new cycle - pushed
the meter up to 9999, down to zero again and then up to 7305.  Meaning that
they assumed it had gone up 9,977 since last time, rather than down 23.

Robot editors strike again

Earl Boebert <>
Sat, 15 Oct 2011 09:39:38 -0600

I just made a posting over on the Deepwater Horizon thread on gCaptain.
I used the word "adversarial" (without quotes).  Robot changed it to:

  advers"lux-sans-1"  (with quotes)

I changed it to "headbutting" and went on with life.

Computer Virus Hits U.S. Drone Fleet (WiReD)

Joly MacFie <>
October 7, 2011 5:37:02 PM EDT

A computer virus has infected the cockpits of America's Predator and Reaper
drones, logging pilots' every keystroke as they remotely fly missions over
Afghanistan and other warzones.  The virus included a key-logger payload,
and had been detected by the military's Host-Based Security System, nearly
two weeks before the {\it WiReD} item appeared.  It has reportedly not
prevented pilots at Creech Air Force Base in Nevada from flying their
missions overseas.  And there are no confirmed incidents of classified
information being lost or sent to an outside source.  However, the virus has
resisted multiple efforts to remove it from Creech's computers.  The
infection underscores the ongoing security risks in what has become the
U.S.~military's most important weapons system.  “We keep wiping it off, and
it keeps coming back.  We think it's benign.  But we just don't know.''
[PGN-ed from the {\it WiReD} Danger Room,]

BlackBerry Outage Linked to Massive Drop in Traffic Crashes

Monty Solomon <>
Thu, 20 Oct 2011 14:56:19 -0400
  (Brad Aaron)

According to data released last week by NYPD, distracted drivers were the
leading cause of city traffic crashes in August. Of 16,784 incidents, 1,877
were attributed to "driver inattention/distraction," while an additional 10
were linked specifically to phones or other electronic devices.

While NYPD reports make it impossible to decipher exactly how many city
drivers are texting or talking before a crash - we'll go out on a limb and
assume it was more than 10 - the recent BlackBerry service outage in Europe,
Africa and the Middle East served to illustrate the extent of the problem in
two cities. ...  [Source: Brad Aaron, BlackBerry Outage Linked to Massive
Drop in Traffic Crashes, StreetsBlog, 17 Oct 2011]

Re: Blackberry outage saves lives

Mark Thorson <>
Mon, 17 Oct 2011 10:07:49 -0700

The three-day Blackberry outage saw traffic accidents fall 20% in Dubai
and 40% in Abu Dhabi.

In this case, the normal condition is the *risk*, and the aberrant condition
is safer.  Perhaps this could be exploited by throttling down network
traffic during hazardous driving conditions, such as the first heavy rain of
the season, major holiday evenings, and at the end of large sports events.

Security Vulnerability In HTC Android Devices (Artem Russakovskii)

Monty Solomon <>
Tue, 4 Oct 2011 00:53:35 -0400

Artem Russakovskii: Massive Security Vulnerability In HTC Android Devices
(EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails
Addresses, Much More, 3 Oct 2011

I am quite speechless right now. Justin Case and I have spent all day
together with Trevor Eckhart (you may remember him as TrevE of DamageControl
and Virus ROMs) looking into Trev's findings deep inside HTC's latest
software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and

These results are not pretty. In fact, they expose such ridiculously
frivolous doings, which HTC has no one else to blame but itself, that the
data-leaking Skype vulnerability Justin found earlier this year pales in
comparison. Without further ado, let me break things down.

The Vulnerability

In recent updates to some of its devices, HTC introduces a suite of logging
tools that collected information. Lots of information. LOTS.  Whatever the
reason was, whether for better understanding problems on users' devices,
easier remote analysis, corporate evilness - it doesn't matter. If you, as a
company, plant these information collectors on a device, you better be DAMN
sure the information they collect is secured and only available to
privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we
are all still digging deeper - but currently any app on affected devices
that requests a single android.permission.INTERNET (which is normal for any
app that connects to the web or shows ads) can get its hands on. ...

Skype for iPhone makes stealing address books a snap (Dan Goodin)

Randall Webmail <rvh40@INSIGHTBB.COM>
October 22, 2011 12:35:13 PM EDT

Dan Goodin, *The Register*, 20 Sep 2011

Just add JavaScript

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal=20
your device's address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the
attack look like child's play. Type some JavaScript commands into the
user name of a Skype account, use it to send a chat message to
someone using the latest version of Skype on an iPhone or iPod touch,
and load a small program onto a webserver. Within minutes, you'll
have a fully-searchable copy of the victim's address book. ...

Massive HTC Android phone vulnerabilities reported (John P. Mello Jr.)

Gene Wirchenko <>
Tue, 04 Oct 2011 09:37:50 -0700

John P. Mello Jr., Massive HTC Android phone vulnerabilities reported:
Researchers say HTC failed to respond after they notified the firm of
threat risks on 24 Sep.  4 Oct 2011

selected text:

Security researchers say they've uncovered a flaw in several smartphone
models produced by HTC that gives any application that has Internet access
the keys to a trove of information on the phone, including e-mail addresses,
GPS locations, phone numbers, and text message data.

The modifications made to Android by HTC allow any application that you give
permission to access the Internet from the phone access to a plethora of
sensitive information on the device. What's more, it also has permission to
send the data that it finds wherever it wants on the Net without your

  [See also an Infoworld item.  PGN]

AmEx 'debug mode left site wide open'

Monty Solomon <>
Sun, 9 Oct 2011 11:38:28 -0400

John Leyden, AmEx 'debug mode left site wide open', says hacker,
Customer cookies 'at risk', *The Register, 7 Oct 2011

An alleged vulnerability on American Express site exposed customers to a
serious security risk before the credit card giant closed down a portion of
its site on Thursday afternoon.

Researcher Niklas Femerstrand claimed the problem arose because the debug
mode of the site had inexplicably been left on, thus
providing access to vulnerable debug tools. The security shortcoming
creating a possible mechanism to harvest users' authentication cookies,
according to Femerstrand. ...

Air traffic control data found on eBayed network gear (John Leyden)

Monty Solomon <>
Sat, 1 Oct 2011 09:27:16 -0400

John Leyden, NATS passwords and info left on switch [costing 20 pounds],
*The Register*, 30 Sept 2011

A switch with networking configurations and passwords for the UK
traffic control centre was offered for sale on eBay, raising serious
security concerns.

Skype flaw allows BitTorrent users to be identified (Jeremy Kirk)

Gene Wirchenko <>
Fri, 21 Oct 2011 10:26:23 -0700

Jeremy Kirk, Skype flaw allows BitTorrent users to be identified:
Researchers have demonstrated its possible to link BitTorrent users
to Skype account information via IP addresses. It's a possible risk
to Skype's user privacy. *ITBusiness, 21 Oct 2011]

Adobe flash design would let authorities order Adobe to

Lauren Weinstein <>
Sat, 22 Oct 2011 09:18:27 -0700
        turn on your mic/camera remotely (Steve Bellovin)

  Adobe flash design would let authorities order Adobe to turn on your
  mic/camera remotely  (CirleID / Steven Bellovin)
  (via NNSquad)

  "From a technical perspective, it's simply wrong for a design to outsource
  a critical access control decision to a third party. My computer should
  decide what sites can turn on my camera and microphone, not one of Adobe's
  servers.  The policy side is even worse. What if the FBI wanted to bug
  you? Could they get a court order compelling Adobe to make an access
  control decision that would turn on your microphone?"

FBI Official Calls for Secure, Alternate Internet

Lauren Weinstein <>
Sat, 22 Oct 2011 12:26:11 -0700  (

  "In an Associated Press interview Thursday, [Shawn] Henry [FBI executive
  assistant director] said jihadist militants looking to harm the U.S. can
  tap organized crime groups who are willing to sell their services and
  abilities to attack computer systems.  He would not say which terror group
  or whether any insurgent networks have actually been able to acquire the
  high-tech capabilities.  But he said one way to protect critical utility
  and financial systems would be to set up a separate, highly secure
  Internet.  Henry sketched out the Internet idea to a crowd at a conference
  of the International Systems Security Association, saying that
  cyberthreats will always continue to evolve and outpace efforts to defend
  networks against them."

I won't even begin here to discuss the myriad reasons why this approach is
so incredibly problematic and—dare I say it—technologically naive.

Researchers crack W3C encryption standard for XML

Lauren Weinstein <>
Fri, 21 Oct 2011 10:46:13 -0700
  "A pair of German researchers revealed at the ACM Conference on Computer
  and Communications Security in Chicago this week that they have discovered
  a way to decrypt data within XML documents that have been encrypted using
  an implementation of the World Wide Web Consortium's XML Encryption
  standard."  (ars technica)

Better Business Bureau offers rogue script browser peril

Gabe Goldberg <>
Sat, 22 Oct 2011 23:30:22 -0400

A javascript redirect on the BBB blogs site (hosted by Word Press) was
spawning an iframe to download malware for several days before it was
shutdown.  [PGN-ed]

Washington objects, OnStar reverses tracking policy (Re: RISKS-26.58)

Lauren Weinstein <>
Wed, 28 Sep 2011 10:31:30 -0700

  "Only a few days after it made what U.S. Senator Charles Schumer (D-NY)
  called "brazen" changes to its privacy policy, General Motors subsidiary
  OnStar has backed down and said it would revert back to its previous terms
  of service.  OnStar ignited a firestorm of criticism when it announced it
  would continue to collect information about customers of its onboard auto
  services even after their subscription ends - unless specifically
  instructed by the consumer not to. In the past OnStar would have ended
  such tracking when a subscription ended.  OnStar typically collects data
  about customers' location, speed, driving habits and odometer mileage."  (*Computerworld*)

Re: United Airlines uses 11,000 iPads to take planes paperless

Stephen Irons <>
Tue, 20 Sep 2011 16:23:56 +1200

In Risks Digest 26.56, Geoff Kuenning wrote:

> Re: United Airlines uses 11,000 iPads to take planes paperless
> But of course passengers will still be prohibited from using those same
> devices while the pilots have them turned on...

Patrick Smith writes the column 'Ask the Pilot' for In ,
he writes:

  You were wondering, meanwhile ...

  Now that pilots can use their iPads in the cockpit, shouldn't passengers
  be allowed to use them in the cabin, whenever they want to? And doesn't
  this prove that the rules about electronic devices aren't really

  Not quite. The main reason tablets and laptops are banned during takeoff
  and landing isn't because of concerns over interference, but because they
  might hinder an evacuation, and are potentially dangerous projectiles in
  the event of an impact or rapid deceleration. I suspect you don't want a
  Kindle or MacBook knocking you in the head at 180 miles per hour. The
  devices in the cockpit will need to be stowed or secured as well.

Stephen Irons, Tait Radio Communication
175 Roydvale Ave, Christchurch, New Zealand  DDI: +64 - 3 - 357-0713

Re: United Airlines uses 11,000 iPads ... (Douglass, RISKS-26.56)

John Stanley <>
Wed, 28 Sep 2011 11:39:04 -0700 (DT)

Andrew Douglass <>:

  If they require everyone to turn off wireless capabilities to avoid
  interference with instruments and communication (I trust there is a safety
  argument as well), is this not also a confession that there IS a

Of course. This is not a secret. Any radio system can be jammed.

There are also "of course" ways of avoiding jamming. Spread spectrum systems
developed for the military are one. With this jam resistance comes three
major problems. First, the cost of replacing every avionics system in every
airplane on the planet to work with the new, unjammable ground radio systems
(ILS, voice, ADF, marker beacon, MLS, VOR, DME, etc.) would be
astronomical. This change would make every current handheld backup radio
immediately obsolete, reducing the safety factor of being able to have a
handheld backup for critical functions (and excluding all aircraft where the
only radio systems are handheld.)

Second, with the added complexity of this system comes new failure modes.

And third, once you are building aviation radios that cannot be jammed by
simple sources, you have aviation radios that can be jammed by someone who
has bought or stolen one of the new complex radios. Spread spectrum works
for the military because their radios and programming are classified.  There
can be no such security for aviation systems because every airplane in the
sky needs to be a part of the system.

All you would accomplish is making the prices of aviation radios skyrocket
beyond the current ridiculous prices.

You can work very hard to shield and ground everything that must be
protected, but once the aircraft leaves the factory the normal cycle of wear
and tear will begin. You cannot inspect every inch of wire every day, or
even every month, to detect fraying or corrosion.

But that's just the airplane itself. You forget the issue of the electronic
devices being carried by passengers. Properly designed, properly maintained,
and properly certificated non-intentional radiators should remain within
legal limits for radiation and not be able to overcome properly designed and
properly maintained shielding on the aircraft, but ...

In 2004, a presumably properly designed Toshiba television began radiating a
carrier signal on 121.5MHz at a level sufficient to trigger the then
operational SARSAT system, which alerted searchers to the problem. The
television design had certainly passed FCC muster for unintentional
radiators, and yet this television was literally screaming exactly on the
international distress frequency.

That is just one example. I use it because I was there and part of the group
that found it. I mentioned previously the interference from a properly
designed and properly maintained radio within the cockpit that interfered
with another properly designed, properly maintained radio.

Yes, interference with aircraft avionics systems is a well-known hazard.  It
happens. It can be mitigated but not eliminated. If doing something as
simple as turning off all electronics devices during take-off and landing
will keep it from happening during those two flight-critical operations,
then I suggest those that worry about the twenty minutes they can't work
cutting into their sleep spend that time sleeping. The value of napping has
been reported in the medical literature.

ACSAC 2011 open for registration

Jeremy Epstein <>
Thu, 20 Oct 2011 17:31:06 -0400

The Annual Computer Security Applications Conference (ACSAC) invites you to
come learn and network with world-class security practitioners this December
in Orlando.  Keynoting ACSAC 2011 will be Susan Landau (privacy use cases)
and Terry Benzel (security experimentation), with classic paper
presentations by Paul Syverson (onion routing) and Matt Blaze (key escrow).

This year's outstanding technical program includes 39 accepted papers (out
of 195 submitted), along with panels and case studies.  Look for returning
favorites, such as the New Security Paradigms Workshop Highlights panel, as
well as new sessions ranging from Social Network Security and Applied
Cryptography to Mobile Security and Situational Awareness.  Also, don't miss
out on the workshops, FISMA training, and professional development courses,
including for the first time at ACSAC, Tracer FIRE—a forensic and
incident response exercise & competition.  All of which, along with the
technical program, qualify for continuing education credit.

Whether your interest is web security, virtualization, applied cryptography,
botnets, anonymity, security usability, or software protection, you are sure
to find plenty to learn about and discuss with your colleagues at ACSAC

Program and Registration are available at  Early registration
deadline is November 11th.

Works-in-progress (short) presentations will be accepted until the
start of the conference subject to space availability.

Please report problems with the web pages to the maintainer