The RISKS Digest
Volume 26 Issue 62

Friday, 18th November 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


U.S. water plants reportedly hit by cyber attacks
Gene Wirchenko
Remotely Opening Prison Doors
Bruce Schneier
Digital surveillance camera held sensitive unrelated photos
Mark Brader
The government is going overboard in Internet copyright control
Vint Cerf
"Who Decides Who You Are Online?"
Somini Sengupta
Facebook's tracking of other Web site visits under fire
USA Today
How Google, by voluntarily implementing facial blurring...
"Coming conundrum: Malware signed by a legitimate developer"
Robert Lemos
Standard and Poor's and France's credit
Mark Brader
Congress Declares War on the Global Internet - Internet Replies "Bring It On!"
Lauren Weinstein
Insider fraud
Michael Lee
Re: ANA plane goes nearly belly up ... wrong knob turned
Tony B Atkinson
Re: The Coming Fascist Internet
Mike Smith
Does this icon mean YES or NO?
Info on RISKS (comp.risks)

Update: U.S. water plants reportedly hit by cyber attacks

Gene Wirchenko <>
Fri, 18 Nov 2011 11:33:37 -0800

Robert Lemos, *InfoWorld*, 18 Nov 2011
Update: U.S. water plants reportedly hit by cyber attacks
In separate incidents, hackers allegedly caused a water pump failure at an
Illinois utility and showed off purported access to water supply systems for
a Texas city

opening text:

Security experts have long worried that a knowledgeable hacker could damage
the critical infrastructure that supplies power, water, and other utilities
to U.S. citizens. The few incidents of cyber attacks on utilities, where
details became public, have underscored the danger while at the same time
signaling that such attacks may not be common.

Two events this week may change that perception.

Remotely Opening Prison Doors (CRYPTO-GRAM, November 15, 2011)

Bruce Schneier <schneier@SCHNEIER.COM>
Tue, 15 Nov 2011 01:42:55 -0600

Bruce Schneier, Chief Security Technology Officer, BT,, PGN-excerpted from CRYPTO-GRAM, 15 Nov 2011,

Researchers have found a vulnerability in computer-controlled prison-door
systems that allows them to be remotely opened over the Internet.  This
assumes that they're connected to the Internet in the first place, which
some of them are.

The weirdest part of the article was this last paragraph.

  "You could open every cell door, and the system would be telling the
  control room they are all closed," Strauchs, a former CIA operations
  officer, told the Times. He said that he thought the greatest threat was
  that the system would be used to create the conditions needed for the
  assassination of a target prisoner.

I guess that's a threat.  But the *greatest* threat?

The original paper:

Digital surveillance camera held sensitive unrelated photos

Mark Brader
Wed, 16 Nov 2011 17:54:50 -0500 (EST)

In Grand Forks, BC, Canada, Dion Nordick saw a camera flash outside
his home, and found two surveillance cameras on poles overlooking
the place.  They belong to the RCMP (Royal Canadian Mounted Police),
who Nordick thinks suspect him of graffiti and/or drug offenses.

Nordick took the cameras down and looked at the pictures taken.
And he found that one camera held large numbers of photos related
to unrelated incidents, taken before it was placed there.  Among
other things, there were photos of a woman in her underwear,
showing her bruise-covered body; also drug busts and suicides.

Even if the RCMP is right when they say that the cameras were legally
placed on public property and Nordick's action is a theft, it still
seems as though they could have done a better job as regards
protecting the privacy of those photos.

The government is going overboard in Internet copyright control

Lauren Weinstein <>
Mon, 14 Nov 2011 16:20:57 -0800
  (Vint Cerf)

Vint Cerf: The government is going overboard in Internet copyright control  (VentureBeat)

  "When asked what he would tell the developer of the Next Big Thing, the
  technology that could replace the Internet, Cerf said, "Shoot the patent
  lawyer."  The room, which was full of chief information officers for
  large, proprietary companies, burst into both laughter and applause.  Cerf
  continued, "Bob [Kahn] and I knew we could not succeed if we tried to
  protect the Internet's design. As it turns out that worked out really
  well, and I think that's still pretty good advice."  Cerf also spoke out
  against the Department of Homeland Security's recent seizures of websites,
  such as last year's seizure of scores of music sites and communities for
  copyright violations, which he called "a blunt instrument that can and
  should be exercised much more carefully."

"Who Decides Who You Are Online?" (Somini Sengupta)

<Lauren Weinstein>
Mon, 14 Nov 2011 15:31:55 -0800

  "As the Internet becomes the place for all kinds of transactions, from
  buying shoes to overthrowing despots, an increasingly vital debate is
  emerging over how people represent and reveal themselves on the Web sites
  they visit. One side envisions a system in which you use a sort of digital
  passport, bearing your real name and issued by a company like Facebook, to
  travel across the Internet. Another side believes in the right to don
  different hats - and sometimes masks - so you can consume and express what
  you want, without fear of offline repercussions.  The argument over
  pseudonyms - known online as the "nym wars" - goes to the heart of how the
  Internet might be organized in the future.  Major Internet companies like
  Google, Facebook and Twitter have a valuable stake in this debate - and,
  in some cases, vastly different corporate philosophies on the issue that
  signal their own ambitions."

    [This quote is excerpted from a long article by Somini Sengupta, *The
    New York Times*, 14 Nov 2011, entitled Rushdie Runs Afoul of Web's
    Real-Name Police, which google headlines as "Rushdie Wins Facebook
    Fight Over Identity".  PGN]

Facebook's tracking of other Web site visits under fire (NNSquad)

Lauren Weinstein <>
Wed, 16 Nov 2011 17:02:35 -0800

Facebook's tracking of other Web site visits under fire  (USA Today)

  "Facebook officials are now acknowledging that the social media giant has
  been able to create a running log of the web pages that each of its 800
  million or so members has visited during the previous 90 days.  Facebook
  also keeps close track of where millions more non-members of the social
  network go on the Web, after they visit a Facebook web page for any

How Google, by voluntarily implementing facial blurring...

Wed, 16 Nov 2011 06:44:30 +0800

"It is also a case study of how Google, by voluntarily implementing
facial blurring in its relatively new but hugely popular Street View
automated 360-degree panoramas, created norms in the minds of regulators
that they are now eager to set in stone legally."

Why don't they also blur pets while they are at it?

"Coming conundrum: Malware signed by a legitimate developer"

Gene Wirchenko <>
Fri, 18 Nov 2011 10:13:08 -0800

Robert Lemos, *InfoWorld*, 17 Nov 2011
Coming conundrum: Malware signed by a legitimate developer
Cyber criminals are stealing code-signing certificates, allowing
their malware to get by some defenses

selected text:

Signed code has become one of the common measures used to secure various
computing platforms.

Yet cyber criminals and other attackers are starting to use signed code to
evade security measures by stealing legitimate certificates from software
developers, then using the certificates to sign their malicious programs.

In 2009, the company [AVG] detected about 30,000 malicious programs signed
with legitimate—albeit stolen or fraudulently issued—certificates. The
next year, that number increased by a third and is on track to triple in

Standard and Poor's and France's credit

Mark Brader
Wed, 16 Nov 2011 18:01:31 -0500 (EST)

You've probably received submissions about the incident last week when
it appeared, due to a technical error, that Standard and Poor's had
downgraded France's national credit rating.

Here's what happened:

In case the link does not remain valid, the key part reads:

|  Friday, S&P said the mistake arose because it had placed France's banking
|  industry country risk assessment, which is not a credit rating, in its
|  online portal last December to test a method of displaying the information
|  on individual pages.  The ratings service used France's banking risk
|  assessment to test the change but did not enter the other 85 country
|  rankings in the same way.
|  That difference prompted the item on France's status to display N/A, or
|  not available, on S&P's Global Credit Portal page when it went live
|  Thursday, which triggered its system to interpret the change as a
|  downgrade.

Congress Declares War on the Global Internet - Internet Replies

Wed, 16 Nov 2011 13:19:00 -0800 (PST)
  "Bring It On!"

 Lauren Weinstein's Blog Update: Congress Declares War on the Global
 Internet - Internet Replies "Bring It On!", 16 Nov 2011

In my previous posting, The Coming Fascist Internet, I explained how
government moves to control and censor the Internet, including
hypocritically by the U.S.—are pointing to an Internet future that can
quite reasonably be equated with fascism.  Strong words I know, but
unfortunately true ones.

If you needed more proof, you only needed to observe today's Congressional
hearing on SOPA (Stop Online Privacy Act), which was much more akin to a
lynch mob, or a scene from dictator's kangaroo court, than a honest attempt
to explore the issues.

The hearing was stacked with SOPA proponents whose goal is simple—get the
entire Internet around the world under the boot of U.S.-ordered censorship
and total control.

The only real anti-SOPA witness the House Judiciary Committee permitted
was Katherine Oyama of Google, and the Committee overall treated her
with the kind of unfairness and
( )
that make everyday bullies and criminals look like rank

It was a disgusting display by Congress, and a clear signal of how our
leaders (from both parties) are hellbent on destroying Internet freedoms as
we know them today.

If this all weren't so deadly serious, there would almost be comical
aspects.  The MPAA, faced with complaints that SOPA (and the similar
legislation on the Senate side—PIPA [PROTECT IP]) would break DNSSEC,
merrily suggested that it simply should be rewritten so that government
censorship orders could be easily implemented.

That the MPAA would make asinine comments like that is actually easy to
understand.  After all, they view the entire world as simply a film script
to be sent out for rewrites on demand.  And since their real goal (along
with various of their brethren) is to rewrite technology to protect their
traditional profit centers—civil rights be damned—we should not be
surprised when they treat the entire planet like extras to be ordered around
like slaves.

So Congress wants to declare War.  Judging from my email, the Internet is
champing at the bit for battle.

I have never before seen such a flood of messages ranging from "I'm
terrified for our future" to "What can we do?" to "Here are my ideas for
fighting back."

It's certain that this war could bring with it many causalities.  Network
fragmentation in various forms is an obvious example, since the rest of the
world seems unwilling (surprise!) to allow the U.S. to keep dictating
Internet policy forever, especially when the U.S. want to use its skewed
control over the DNS (Domain Name System) as a judge, jury, and executioner
baton to beat other countries' sensibilities to a pulp.

All manner of "workarounds" to such censorship are being proposed, many
extremely intriguing, most of which would actually be illicit under the
anti-circumvention provisions of SOPA. There's been a massive increase in
queries regarding my proposed distributed Internet naming system IDONS
( ), but this is
a long-term proposal, not a weapon for the immediate battles at hand.

Still, it is apparent that if Congress proceeds along their current path of
trying to dictatorially censor sites, search engines, and other aspects of
Internet operations, they will be setting loose the technological dogs of
war in ways that are beyond the scope of their darkest nightmares, and that
make "Anonymous" and the "Occupy" movement look like fleas on an elephant by

That isn't a threat.  It's a prediction.  It's a prediction made with the
hope (though admittedly not the expectation) that Congress will step back
from the precipice that leads to the destruction of the Internet in the form
that has brought freedom of communication to the world, to a degree and in
manners never before imagined.

Congress' approach to dealing with the issues of piracy is to figuratively
use hydrogen bombs as a palliative measure—cities reduced to rubble won't
have much of a piracy problem.

But in the real world of the Net, the technological means to fight such a
war are remarkably well distributed among Internet users at large.  It seems
as if the Congressional push for SOPA/PIPA reveals an utter cluelessness by
Congress regarding what is actually about to be unleashed.

If Congress really wants to go to war against the Internet, they'll have
their war.  But it will be like nothing the world has ever seen before.  You
can count on it.

Insider fraud (Michael Lee)

"Peter G. Neumann" <>
Fri, 18 Nov 2011 8:26:04 PST

Michael Lee, ZDNet, 17 Nov 2011, <>
  [Item thanks to Jeremy Epstein.  PGN]

Companies are being duped more by their own employees than by external
hackers when it comes to cyber fraud, according to KPMG Forensic associate
director Stan Gallo, and those employees are often high earners.

Gallo presented his talk on corporate identity theft and fraud at Attachmate
Group's A Powerful Connection 2011 event today in Sydney, revealing that the
typical fraudster isn't your average, scruffy-looking bedroom hacker, but
more likely an insider within the corporation.

In 65 per cent of all fraud cases, insiders tap into an organisation's IT
systems, secretly siphoning off money from the company, or selling
intellectual property.

One example that Gallo provided was a mother who helped herself to $1.2
million on top of her $40,000 salary by gaming the company's invoicing
system. Working in the accounts-payable department of the company, she
noticed that payment details were being stored on a shared network
drive. After editing the file to fill her own account, she would wait until
repeat invoices would be issued, and then abuse her position to approve the
payment, hiding it among the other several thousand payments that the
company made to cover her tracks.

Although the average amount stolen in Australia was $229,000 per incident,
Gallo said that women tended to steal much more than men. Yet, in general,
the thefts were more likely to have been perpetrated by a man.  [...]

Re: ANA plane goes nearly belly up ... wrong knob turned (Disdale, RISKS-26.61)

Tony B Atkinson <>
Wed, 16 Nov 2011 17:24:01 +0000

Pete Disdale <>writes

> I ... find this astonishing. I had always believed that flight deck
  controls (knobs, levers etc.) were required to be "different" -
  i.e. different colours, shapes - in order to avoid or minimise any
  confusion by the pilot."

In fact, the two knobs are distinctly different in size and shape. You can
see a photo at .

The flightdeck illustrated has the two controls adjacent. I believe that on
the ANA control pedestal the knobs are slightly further apart, but still
pretty close. The pilot has to reach behind him to access the control, it's
effectively out of his line of sight. Distinguishing the control is probably
done by feel most of the time. Incident waiting to happen really. As has
been pointed out, the cabin door lock may be a retrofit or post-original
design. It would have been better to use a different 'affordance' for the
door lock and also to make the rudder control something like a 'push and

Ahh, the benefit of hindsight.

Tony Atkinson, Process Safety Consultant (Human Factors)

Re: The Coming Fascist Internet (Weinstein, RISKS-26.61)

"Smith, Mike" <>
Tue, 15 Nov 2011 10:43:40 -0500

It seems to me there are some competing interests here.  Just to focus on
the intellectual property issue, I note two clauses in the Universal
Declaration of Human Rights (

Article 19: Everyone has the right to freedom of opinion and expression;
this right includes freedom to hold opinions without interference and to
seek, receive and impart information and ideas through any media and
regardless of frontiers.

Article 27(2): Everyone has the right to the protection of the moral and
material interests resulting from any scientific, literary or artistic
production of which he is the author.

Does Article 19 give one the right to receive and impart someone else's
scientific, literary or artistic productions without regard to the author's
moral and material interests?  That seems to be what Lauren is advocating.
I'm not so sure.  And if governments and other entities that operate the
communications media are not to provide the protection to which authors of
bit-based products are entitled under 27(2), then who is?

How about Article 29(2)?: In the exercise of his rights and freedoms,
everyone shall be subject only to such limitations as are determined by law
solely for the purpose of securing due recognition and respect for the
rights and freedoms of others and of meeting the just requirements of
morality, public order and the general welfare in a democratic society.

Ah.  There are legitimate reasons for passing laws to limit certain rights
in order to protect other rights.  We can debate the extent of those
limitations, but not that some limitations are, in fact, necessary.

Mike Smith, CISSP, Senior IT Security Engineer, AEPOS Technologies Corporation
(613) 237-3022

Does this icon mean YES or NO?

Mon, 14 Nov 2011 13:57:21 +0800

[(Smørgrav, RISKS-26.61)]
> replacing text buttons with non-obvious icons

Every day, all over the Internet, like some kind of game.  Fortunately being
a computer wiz, I can look into the HTML source of such web pages to find
what the names of the icons being used are, e.g., YES.gif, NO.gif. Wouldn't
want to click on Mr. WRONG.

Please report problems with the web pages to the maintainer