The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 79

Tuesday 17 April 2012

Contents

Hospital generator failure following earthquake
Jonathan Hunt
For want of an isolating ground, a railroad was shutdown
Danny Burstein
Insider attack on smart meters
PGN
UK Government to give consumers control over smart meter data amidst privacy concerns
Bob Waixel
Why one in five U.S. adults don't use the Internet
CNN
60% of Wikipedia entries about companies contain errors: correcting them isn't easy
Science News
Computer Fraud Act Case Dismissed
Donn Parker
GPS is a humanitarian weapon system
jidanni
DHS chief contemplating proactive cyber attacks
Steve Johnson via Richard Forno
MintChip—a virtual cryptocurrency backed up by a government
Mark Thorson
ICANN data breach exposes gTLD applicant data ...
ars technica
CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover
Robert Schaefer
"Apple under fire for backing off IPv6 support"
Gene Wirchenko
CISPA, Cybersecurity, and the Devil in the Dark
Lauren Weinstein
Web freedom faces greatest threat ever, warns Google's Sergey Brin
The Guardian
DARPA Challenge Seeks Robots to Drive Into Disasters
ACM TechNews
Walled gardens look rosy for Facebook, Apple—and would-be censors
The Guardian
Re: Unraveling a massive click fraud scheme
Martin Ward
"Did first DDOS attack sink the Titanic?"
Gene Wirchenko
Info on RISKS (comp.risks)

Hospital generator failure following earthquake

Jonathan Hunt <risks.org@huntdesign.co.nz>
Tue, 17 Apr 2012 22:50:08 +1200

A report in the Lancet by Michael Ardagh et al. describes the initial
health-system response to the earthquake in Christchurch, New Zealand, in
February 2011, with a focus on the Christchurch Hospital emergency
department.  While the response is assessed as effective, the report notes
"Power was lost immediately.  Within seconds, six diesel-fueled generators
activated to provide power to electrical outlets designated as essential
services.  However, the severe shaking disturbed sump sludge within the
diesel tanks.  Consequently during subsequent hours, a generator failed
several times, leaving the emergency department clinical areas, ICU, blood
bank, radiology department, and other areas with no power."

Under Lessons learned, the report states, "The back-up generator diesel
tanks have since been drained and cleaned."

http://www.thelancet.com/journals/lancet/article/PIIS0140-6736(12)60313-4/fulltext (registration required)


For want of an isolating ground, a railroad was shutdown

Danny Burstein <dannyb@panix.com>
Wed, 11 Apr 2012 22:32:51 -0400 (EDT)

[from the IG report looking into a Long Island RR
    (NYC suburban commuter line) failure last year]

At approximately 4:30 p.m. on 29 Sep 2011, the beginning of the evening
rush, lightning struck near Long Island Rail Road (LIRR) tracks, creating a
power surge that disabled the signal system controlling the train
interlocking just west of Jamaica Station

Approximately three and a half hours after the strike, in an attempt to
repair a computer server believed to have been damaged by the power surge, a
LIRR employee erroneously disabled the separate signaling system controlling
the train interlocking just east of Jamaica Station. At that point, all
service was suspended.

 * So, how did lightning get through the various safeguards?

The report continues:

Specifically, OIG found that:

In accordance with its contract, ASTS designed the new signaling system for
the Jamaica Interlocking but LIRR employees installed it.  During the
installation, LIRR added a piece of computer equipment called a "serial
server", which was not part of the ASTS design.  This server allows LIRR to
remotely monitor various pieces of the equipment.

In the course of attaching the server to the new signaling equipment, a LIRR
employee used one incorrect connector.  ASTS, LIRR, and Systra all agree
that this connector created the pathway by which the power surge generated
by the lightning damaged the signal system and brought it down.

rest: http://mtaig.state.ny.us/assets/pdf/12-01.pdf


Insider attack on smart meters

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 15 Apr 2012 10:40:46 PDT

Interesting convergence of different underestimated issues - insider
attacks (frequently ignored) and smart meters (largely ignored).
[Thanks to Jeremy Epstein for spotting this one.  PGN]

FBI Concerned About Smart Meter Hacking, 9 Apr 2012

According to an FBI cyber bulletin, an unnamed utility company in Puerto
Rico was the target of attacks against smart meters, costing the company
hundreds of millions of dollars. This appears to be the first report of such
attacks and the FBI expects that the occurrence of similar attacks will rise
as the smart grid technology is more widely adopted. The FBI believes that
former employees of the meter manufacturer reprogrammed meters for between
US $300 and US $3,000 so that the associated buildings appeared to be
consuming less power than they actually used.  Most meters are read
remotely, making fraud detection difficult. The alterations require physical
access.

http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/


UK Government to give consumers control over smart meter data amidst privacy concerns

"Robert (Bob) Waixel" <r.waixel@bcs.org.uk>
Fri, 13 Apr 2012 17:10:36 +0100

Outlaw, the blog of the respected UK IT law firm Pinocent Masons has a
thorough article on the risks of installing 'smart' utility (Gas and/or
electricity) meters at:
http://www.out-law.com/en/articles/2012/april/government-to-give-consumers-control-over-smart-meter-data-amidst-privacy-concerns/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+out-law-NewsRoundUP+%28OUT-LAW+News-RoundUP%29
<http://www.out-law.com/en/articles/2012/april/government-to-give-consumers-control-over-smart-meter-data-amidst-privacy-concerns/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+out-law-NewsRoundUP+%28OUT-LAW+News-RoundUP%29>

It refers to a paper by Ross Anderson and Shailendra Fuloria ("Who controls
the off switch?")
http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf

Both are well worth reading. There are risks to switching to computerised
metering / systems including

* unwanted intruders to the data held your house, in transit or at the
  utility, accessing when you are in/out or being able to have a good guess
  at when you are watching TV, or even using the bedroom?

* various other privacy beaches involving an individual or household's
  personal data

There are an additional set of risks if such a meter incorporates an 'off'
switch to the supply at your location.  especially if unauthorised access to
such functionality is a possibility.  I know the suppliers will claim their
security is (will be) so perfect that it is ridiculous to consider this as
feasible.

If it is a business of course, it might be a ripe source of potential
blackmail (greenmail or any colour of your choice).

I'm sure the data will be a tempting target at all stages of its journey
from home or business to utility's database.

Robert (Bob) Waixel, MBCS, MCInstM, FHEA, CITP
RW Systems, Cambridge, UK, r.waixel@bcs.org.uk


Why one in five U.S. adults don't use the Internet (CNN)

Lauren Weinstein <lauren@vortex.com>
Fri, 13 Apr 2012 23:53:55 -0700

  "Even though the Internet has become a key tool for accessing services,
  getting an education, finding jobs, getting the news, keeping up with
  people you know and much more, one in five U.S. adults still does not use
  the Internet at all, according to a new Pew report.  Why? Mostly they're
  just not interested—not in the Web, e-mail, YouTube, Facebook or
  anything else that happens online."  http://j.mp/HSPgL7  (CNN)


60% of Wikipedia entries about companies contain errors -

Lauren Weinstein <lauren@vortex.com>
Tue, 17 Apr 2012 10:12:30 -0700
        correcting them isn't easy

http://j.mp/IuII3Q  (Science News)

  When respondents attempted to engage editors through Wikipedia's "Talk"
  pages to request factual corrections to entries, 40 percent said it took
  "days" to receive a response, 12 percent indicated "weeks," while 24
  percent never received any type of response.  According to Wikipedia, the
  standard response time to requests for corrections is between two and five
  days.  Only 35 percent of respondents were able to engage with Wikipedia,
  either by using its "Talk" pages to converse with editors or through
  direct editing of a client's entry. Respondents indicated this figure is
  low partly because some fear media backlash over making edits to clients'
  entries. Respondents also expressed a certain level of uncertainty
  regarding how to properly edit Wikipedia entries.  Of those who were
  familiar with the process of editing Wikipedia entries, 23 percent said
  making changes was "near impossible." Twenty-nine percent said their
  interactions with Wikipedia editors were "never productive."


Computer Fraud Act Case Dismissed

Donn Parker <Donnlorna@aol.com>
Wed, 11 Apr 2012 19:41:50 -0400 (EDT)

It has finally happened. The Federal Computer Fraud and Abuse Act has been
limited. See
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/04/11/BU7P1O1AST.DTL

The Ninth U.S. Circuit Court of Appeals said:

"Under the prosecution's interpretation [of the Act], "millions of
unsuspecting individuals would find that they are engaging in criminal
conduct," said Chief Judge Alex Kozinski in the majority opinion."  The
defendant in the case is still being prosecuted for engaging in other
criminal acts.  Although I supported with testimony, helped write, and
assisted in getting the original Computer Fraud and Abuse Act adopted, I
pointed out that all violations it covered seemed to be covered by existing
criminal laws (as was this case) and in most cases had stronger
penalties. Several prosecutors told me that they wouldn't apply the new law
anyway because violation of existing laws would be more easily understood by
the courts.  However, there is still value in the Computer Fraud and Abuse
Act for three reasons. It has drawn public attention onto crimes in the new
IT environments, it encouraged potential victims to protect themselves, and
it helped law enforcement agencies get funding and motivation for gaining
the skills and knowledge to investigate and prosecute the old crimes in the
new IT environments.  When I write "new IT environments", I mean where a
computer plays one or more of four roles, object of attack, subject (unique
environment), tool, and symbol (for deception.)  Donn


GPS is a humanitarian weapon system

<jidanni@jidanni.org>
Sun, 15 Apr 2012 23:45:16 +0800

"GPS is a humanitarian weapon system" says Dr Bradford W Parkinson,
Chief Architect of Global Positioning System

http://mycoordinates.org/his-coordinates-2/

"Just before the first Iraq war, the US had turned on the GPS Selective
Availability feature. But the irony was that, as soon as the war started,
they decided to turn it off since many of the soldiers had civilian GPS
sets. It was hurting themselves. We never should have done it in the first
place."

"Incidentally, I was very instrumental in getting that turned off; my
argument always was that wiggling the signal with selective availability was
only going to speed up the introduction of differential systems and that is
exactly what happened. By 1978 we had already demonstrated differential GPS
that could reduce errors to about 2 meters, so I said why on earth would you
try and put something in place that is so trivially defeated."


DHS chief contemplating proactive cyber attacks (Steve Johnson)

<Richard Forno>
Tuesday, April 17, 2012

Begin forwarded message (via Dave Farber's IP distribution):

Steve Johnson, Homeland Security chief contemplating proactive cyber attacks
*San Jose Mercury News*, 16 Apr 2012 sjohnson@mercurynews.com,

Posted:   04/16/2012 07:35:38 PM PDT
Updated:   04/16/2012 09:08:36 PM PDT

http://www.mercurynews.com/rss/ci_20410915

Homeland Security Secretary Janet Napolitano said Monday she would consider
having tech companies participate with the government in "proactive" efforts
to combat hackers based in foreign countries.

Napolitano, who made the comments during a meeting at the *San Jose Mercury
News* with the editorial board and reporters, declined to say what steps
corporations and federal agencies might take against foreign cybercrooks,
who have been blamed for numerous computerized incursions against the United
States. She made the remarks in response to a question, and emphasized the
idea is merely one she would consider and that no decisions have been made.

In discussing the private partnerships she is promoting to combat
cyberattacks, Napolitano was asked if instead of just taking defensive
measures, the government and companies should be launching proactive
counterattacks against foreign-based culprits. "Should there be some aspect
that is in a way proactive instead of reactive?" she responded, and then
answered her own question with "yes." She added, "it is not something that
we haven't been thinking about," noting someone else had raised the subject
with her earlier Monday.

However, Napolitano said some restrictions might have to be placed on
businesses participating in such cyber activities because "what you are
doing is authorizing a private entity to do what might otherwise be
construed as an attack on another entity."

  [Long item truncated for RISKS. PGN]


MintChip—a virtual cryptocurrency backed up by a government

Mark Thorson <eee@sonic.net>
Wed, 11 Apr 2012 14:44:52 -0700

One of the major objections to the Bitcoin cryptocurrency is it isn't backed
up by anything, no hard assets or government.  MintChip aims to succeed
where Bitcoin faltered by having the backing of the Royal Canadian Mint.

http://www2.macleans.ca/2012/04/10/mintchip-is-a-fresh-idea/

Is it secure?  Of course it's secure!  It has the dual advantages
of a (presumably) cryptologically reliable technology combined
with a totally secret implementation.

http://mintchipchallenge.com/forum_topics/759


ICANN data breach exposes gTLD applicant data ... (ars technica)

Lauren Weinstein <lauren@vortex.com>
Fri, 13 Apr 2012 10:44:36 -0700

ICANN data breach exposes gTLD applicant data, leads to deadline extension

http://j.mp/IlHuaN  (ars technica)

  "The group that oversees the Internet's address system has extended the
  application deadline for new generic top level domains (TLDs) and warned
  that a glitch in its processing system exposed potentially sensitive
  applicant information to competitors."

They can't even get the basic application security right.


CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover

Robert Schaefer <rps@haystack.mit.edu>
Thu, 12 Apr 2012 10:31:31 -0400

Who would have guessed that this would happen - high-tech security is
getting so good at border crossings that it can actually catch spies.

http://www.wired.com/dangerroom/2012/04/cia-spies-biometric-tech/all/1

Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory,
Westford MA 01886 http://www.haystack.mit.edu 781-981-5767 rps@haystack.mit.edu


"Apple under fire for backing off IPv6 support"

Gene Wirchenko <genew@ocis.net>
Mon, 16 Apr 2012 08:08:53 -0700

http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=67004
Apple under fire for backing off IPv6 support
Presenters at the North American IPv6 Summit expressed annoyance that
the latest version of Apple's AirPort Utility is no longer compatible with IPv6
4/13/2012 3:01:00 PM By: Carolyn Duffy Marsan


CISPA, Cybersecurity, and the Devil in the Dark

<lauren@vortex.com>
Sat, 14 Apr 2012 12:01:42 -0700 (PDT)

Lauren Weinstein's Blog Update, April 14, 2012
CISPA, Cybersecurity, and the Devil in the Dark
http://lauren.vortex.com/archive/000947.html

The threat of "cyberattacks" is real enough.  But associated risks have in
many cases been vastly overblown, and not by accident of chance.

The "cybersecurity" industry has become an increasingly bloated "money
machine" for firms wishing to cash in on cyber fears of every stripe, from
realistic to ridiculous. And even more alarmingly, it has become an excuse
for potential government intrusions into Internet operations on a scope
never before imagined.

There are warning signs galore.  While we can all agree that SCADA systems
that operate industrial control and other infrastructure environments are in
need of serious security upgrades—most really never should have been
connected to the public Internet in the first place—"war game" scenarios
now being promulgated to garner political support (and the really big
bucks!) for "cyber protection" have become de rigueur for agencies and
others hell bent for a ride on the cybersecurity gravy train.

Phony demos purporting to illustrate mass cyber attacks are more akin to
Fantasyland than reality, and the turf war between the Department of
Homeland Security (DHS) and intelligence agencies such as CIA and NSA in
this sphere should give all of us cause for significant concern.

The Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) has
become the embodiment of hopes for those entities who hope to turn overblown
fears of cyber attacks into a pipeline for potentially massive access by
government into the private data of Internet users.

Sponsors of the legislation tout its relative shortness and generality, but
those are precisely among the aspects that make this legislation so
problematic.

CISPA effectively overrides virtually all existing laws related to Internet
privacy protections.  And since CISPA offers firms access to government
cybersecurity "threat data" in exchange for ostensibly voluntary feeding of
data back from those firms to the government, and provides for broad
protective immunity for companies that choose to do so, a pantheon of tech
heavyweights have lined up in support.

Just a few of the firms who have to various extents professed direct support
of CISPA include Facebook, Symantec, Verizon, IBM, Intel, Microsoft, and
Oracle. There are many others.

Notably absent from this list is Google, who has not taken a formal position
on the existing CISPA legislation and apparently is unlikely to do so.

Google's current approach to CISPA seems particularly prescient.

While it would be absolutely incorrect to attribute bad motives to the firms
supporting CISPA, the legislation itself is in my view so vague and general
that it represents largely an "empty vessel" capable of enormous potential
damage if deployed and then subjected to the inevitable stream of court
interpretations.

CISPA claims to ban using data collected under its authority for other than
cyber threat activities.  But we've seen such data compartmentalization bans
fall many times before in other data collection contexts.

Since the legislation creates such a broad override of existing privacy
protections, and such encompassing immunities for firms that provide
associated data to the government, the lack of specificity in so many
aspects of CISPA creates what could be the opportunity for a "perfect storm"
of abuses down the line.

There are indeed genuine risks of serious attacks on the Internet and
connected infrastructural systems.  But in the fog of the
military-industrial complex's rapid push into this area, it has become
obvious that realistic assessments are being shoved aside in favor of scare
tactics, agency power struggles, and "get rich quick" scheming.

This entire area has become a quintessential example of sowing F.U.D.  --
Fear, Uncertainly, Doubt—while legitimate questions of privacy and
individual rights are purposefully being marginalized.

We saw much the same thing happen after 9/11, with the knee-jerk rush to
pass the PATRIOT Act and Homeland Security Act, with a range of profiteering
and abuses against individual liberties that then resulted—even leading
the U.S. down the evil path of torture.

We must avoid a repeat of this madness.

Information sharing can be a crucial element of cybersecurity, but for
legislation addressing this area, the devil is very much in the details, and
the lack of details in CISPA is an invitation to possible privacy disasters.

To the extent that cybersecurity threats do exist, the desire to quell them
must not be permitted to run slipshod over our personal privacy, liberties,
and associated protections in existing laws.

We can work together to help protect ourselves from actual cyber threats,
without allowing ourselves to become cyber schnooks in the process.


Web freedom faces greatest threat ever, warns Google's Sergey Brin

Lauren Weinstein <lauren@vortex.com>
Sun, 15 Apr 2012 09:51:37 -0700

  "The principles of openness and universal access that underpinned the
  creation of the Internet three decades ago are under greater threat than
  ever, according to Google co-founder Sergey Brin.  In an interview with
  the Guardian, Brin warned that there were "very powerful forces that have
  lined up against the open Internet on all sides and around the world. I am
  more worried than I have been in the past it's scary."  He said the threat
  to the freedom of the Internet came from a combination of governments
  increasingly trying to control access and communication by their citizens,
  the entertainment industry attempting to crack down on piracy, and the
  rise of "restrictive" so-called walled gardens such as Facebook and Apple,
  which tightly controlled what software could be released on their
  platforms."  http://j.mp/IJN8Z1  (Guardian)

I agree 100% with Sergey.  And regardless of how you personally feel
about Google, to try deny the truth of his remarks is beyond foolish.


DARPA Challenge Seeks Robots to Drive Into Disasters

ACM TechNews <technews@HQ.ACM.ORG>
Wed, 11 Apr 2012 11:24:11 -0400

  Excerpted from ACM TechNews, Wednesday, April 11, 2012
  Read the TechNews Online at: http://technews.acm.org

J. Nicholas Hoover, DARPA Challenge Seeks Robots to Drive Into Disasters,
*Information Week* 10 Apr 2012

The U.S. Defense Advanced Research Projects Agency (DARPA) announced the
Robotics Challenge, which will offer a $2 million prize to anyone who can
build a robot capable of navigating disaster-response scenarios and using
human devices that range from hand tools to vehicles.  The challenge aims to
improve the ability of robots to navigate rough terrain at disaster sites,
operate vehicles, and use common tools, as well as to make robot hardware
and software development more accessible.  As part of the challenge, robots
will be required to complete several discrete tasks, including traveling
across rubble, removing debris from a blocked entryway, climbing a ladder,
and entering and driving a car.  DARPA says it will provide "a robotic
hardware platform with arms, legs, torso, and head" to some entrants,
although robots in humanoid form are not required to enter the challenge.
"For robots to be useful to [the U.S. Department of Defense], they need to
offer gains in either physical protection or productivity," notes DARPA's
Kaigham Gabriel.  DARPA's announcement says the "proposed research should
investigate innovative approaches that enable revolutionary advances in
science, devices, or systems."  The challenge will take place in two phases
and will finish at the end of 2014.
http://www.informationweek.com/news/government/info-management/232900054


Walled gardens look rosy for Facebook, Apple—and would-be censors

Lauren Weinstein <lauren@vortex.com>
Tue, 17 Apr 2012 10:56:34 -0700

Battle for the Internet:
Walled gardens look rosy for Facebook, Apple - and would-be censors
http://j.mp/I3BV2B  (Guardian)

  Zittrain's real worry is that "the personal computer is dead".  His
  conclusion is a call to arms: "We need some angry nerds" - people capable
  of breaking out of the walled gardens.  Indeed, the US government has
  found some: it has backed projects such as "the Internet in a suitcase",
  which could set up a telecommunications network inside a country separate
  from the existing infrastructure.  Zittrain acknowledges such projects,
  but for the wider world, he says, "convenience is great. I wouldn't call
  for a return to the green blinking cursor of [Microsoft's pre-Windows]
  MS-DOS or the [text-based] Apple II. But we should build architectures
  that permit innovation and experimentation if consumers wish to go
  'off-roading'."


Re: Unraveling a massive click fraud scheme (NNSquad)

Martin Ward <martin@gkc.org.uk>
Thu, 12 Apr 2012 11:01:45 +0100

Panos Ipeirotis writes at the end of his dissection of the click fraud scheme:

"The guy essentially realized that this type of fraud is really behaving like
a parasite within a much bigger ecosystem."

Given that the entire advertising industry is itself a parasite,
this makes the guy a parasite on a parasite: which is probably a good thing!

Is it really "fraud"? Only in the same sense that running Adblock Plus
is fraud, or recording the programmes I want to watch and editing out
the adverts before I watch them is fraud. What about going
to the kitchen to get a drink when the adverts are on? Or just not paying
attention to the adverts? Or paying attention but deciding not to buy
the goods advertised?

What is the worst that could happen? The collapse of the entire
advertising industry? And this would be a bad thing?
(Those worried about all the jobs that would be lost needn't worry:
they could all get jobs in the stone-throwing-and-reglazing industry,
with no loss to the economy as a whole).

STRL Reader in Software Engineering and Royal Society Industry Fellow
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/


"Did first DDOS attack sink the Titanic?"

Gene Wirchenko <genew@ocis.net>
Mon, 16 Apr 2012 08:42:58 -0700

http://www.itbusiness.ca/it/client/en/Home/News.asp?id=66989
Did first DDOS attack sink the Titanic?
Well maybe not. But overstressed wireless operators inundated with
personal messages played a critical role on the night of the tragic sinking.
4/13/2012 10:12:00 AM By: Sharon Gaudin

Please report problems with the web pages to the maintainer