The RISKS Digest
Volume 26 Issue 81

Friday, 4th May 2012

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Fed report on that Southern California blackout
Danny Burstein
How to handle voter registration
Douglas A. Kellner
Re: The Power of Individual Voters to Transform Their Government
Mark E. Smith
North Korea jamming commercial airliner GPS?
Ars Technica on "back doors" in critical systems
Dan Goodin via C Y Cripps
"Microsoft detects new malware targeting Apple computers"
Jeremy Kirk via Gene Wirchenko
Data breaches in Massachusetts
Jenn Abelson via Monty Solomon
Tiny memory card causes unusual trouble for police
Mark Brader
Thwarting the Cleverest Attackers
Larry Hardesty via ACM TechNews
How to Muddy Your Tracks on the Internet
Kate Murphy via Monty Solomon
"Canadians hit by bogus Microsoft Help calls"
Gene Wirchenko
"Bad stats sink cyber crime costs claims"
Bill Snyder via Gene Wirchenko
DiscoverCard stores passwords in plaintext, e-mails them on request
Gregory Marton
"iPad in the enterprise: prepare for guerilla tactics"
Gene Wirchenko
Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover
Geoff Kuenning
Re: Airline pilot distracted by new text messages
Peter Bernard Ladkin
Harvard and M.I.T. Team Up to Offer Free Online Courses
Tamar Lewin via ACM TechNews
Re: Harvard Library open access?
Jurek Kirakowski
Re: "Did first DDOS attack sink the Titanic?"
Scott Dorsey
Workshop on the Economics of Information Security WEIS 2012
Jeremy Epstein
Info on RISKS (comp.risks)

Fed report on that Southern California blackout

Danny Burstein <>
Tue, 1 May 2012 20:05:59 -0400 (EDT)

If only the utilities would talk to each other...

[from the FERC press release:]
Staff of the Federal Energy Regulatory Commission (FERC) and North American
Electric Reliability Corporation (NERC) today said the September 2011
blackout that left 2.7 million customers in Southern California, Arizona and
Baja California without power stemmed from operating in an unsecured state
due to inadequate planning and a lack of observability and awareness of
system operating conditions on the day of the event.  ....  (it all started
with) the loss of Arizona Public Service's (APS) Hassayampa-North Gila 500
kV transmission line.

That line loss itself did not cause the blackout, but it did initiate a
sequence of events that led to the blackout, exposing grid operators' lack
of adequate real-time situational awareness of conditions throughout the
Western Interconnection.

More effective review and use of information would have helped operators
avoid the cascading blackout. For example, had operators reviewed and heeded
their Real Time Contingency Analysis results prior to the loss of the APS
line, they could have taken corrective actions, such as dispatching
additional generation or shedding load, to prevent a cascading outage.


How to handle voter registration

"Douglas A. Kellner" <>
Thu, 26 Apr 2012 14:22:19 -0400

The real solution is election day registration, or even better, the
elimination of "voter registration" as we now know it.

There should be a presumption that every American citizen over the age of 18
is entitled to vote, unless that person has been formally disqualified by
court order.

North Dakota has no voter registration, and last time I counted, there
were 8 states with election day voter registration.

Several states have started to combine their voter registration database
with other databases, such as driver's licenses. It makes little sense to
incur the expense of maintaining a separate voter registration system.

As to David Jefferson's observation that "the technical community has been
so busy with voting itself that we have never had time to address
registration issues," we should realize that virtually all boards of
elections now rely heavily, if not solely, on computerized registration
databases.  There have been many reports about problems keeping these
databases current and there have been numerous controversies over
procedures for purging persons from the lists of eligible voters.

Litigation over counting provisional ballots confirms that there are a
substantial number of Americans who do not have their votes counted
because of the requirements of voter registration.  No citizen should be
denied the right to vote because she was not properly registered to vote.

Douglas A. Kellner, Co-Chair, New York State Board of Elections

  [Incidentally, Barbara Simons notes that she and Paula Hawthorn co-chaired
  a USACM study on Voter Registration Databases:

Re: The Power of Individual Voters to Transform Their Government

"Mark E. Smith" <>
Wed, 25 Apr 2012 18:34:32 -0700

Even if the Voters Rights Amendment (USVRA) were passed and ratified, which
is extremely unlikely because it would have to be passed and ratified by
politicians who are now in office due to the current corrupt system and not
apt to want it to change, millions of voters writing in the names of whoever
they wished would have no effect on the results. The central tabulators
would just flip as many of those votes as needed to the major candidates and
there is no way to verify it even when it is obvious, as when the woman who
voted for a Green candidate complained that the results showed he had gotten
no votes in her precinct.

Just because you use a paper ballot, don't think you're not using a voting
machine.  Your paper ballot will be fed into an optical scanner and the
memory card from the scanner will go to a central tabulator to be "counted."
More than 90% of the vote in the US are tallied by these unverifiable
central tabulators. And that's only if the Supreme Court is gracious enough
to allow the votes to be counted at all.

Here in San Diego we elected a write-in candidate for Mayor.  The Registrar
threw out more than 5,000 votes because the optical scanners wouldn't accept
the write-in votes unless a little bubble next to them was filled in. So a
new election was held and this time the candidate we'd elected was on the
ballot and won by a two-to-one or three-to-one margin at the polling
places.  But the new Registrar (the old one had resigned) "forgot" to notify
the official observers when the mail-in ballots were counted, and announced
that mail-in voters outnumbered and had voted differently from all other
local voters and that our candidate had lost. But so many people had turned
out that they didn't have a big enough margin to install the candidate the
1% wanted, so they held a third "election" and this time the 1% got their
way, as they usually do.

The only way to get honest elections is to refuse to vote until we do. If
you're willing to vote in elections where your vote doesn't have to be
counted and isn't verifiable, you have no leverage with which to demand
honest elections. Boycott 2012!

  [I don't think that is the *only* way, or even a *viable* way, because
  that could result in your having zero leverage and *never* being counted.
  As RISKS readers are generally aware, achieving real election integrity is
  an enormous problem, and requires total-system approaches that address
  hardware, software, and operational procedures within the entire
  beginning-to-end life cycle.  PGN]

North Korea jamming commercial airliner GPS?

"Peter G. Neumann" <>
Fri, 4 May 2012 6:24:30 PDT

Ars Technica on "back doors" in critical systems (Dan Goodin)

C Y Cripps <>
Mon, 30 Apr 2012 05:49:21 -0400 (EDT)

Dan Goodin, 25 Apr 2012
Backdoor in mission-critical hardware threatens power, traffic-control systems

Like a key under a doormat, the MAC address exposed here allows hackers to
tamper with this Internet-connected RuggedCom device, used to control power
substations and other critical infrastructure.

In the world of computer systems used to flip switches, open valves, and
control other equipment inside giant electrical substations and railroad
communications systems, you'd think the networking gear would be locked down
tightly to prevent tampering by vandals. But for customers of Ontario,
Canada-based RuggedCom, there's a good chance those Internet-connected
devices have backdoors that make unauthorized access a point-and-click

That's because equipment running RuggedCom's Rugged Operating System has an
undocumented account that can't be modified and a password that's trivial to
crack.  What's more, researchers say, for years the company hasn't bothered
to warn the power utilities, military facilities, and municipal traffic
departments using the industrial-strength gear that the account can give
attackers the means to sabotage operations that affect the safety of huge
populations of people.

"You treat these embedded appliances as a device that you don't have a
window to see into," says researcher K. Reid Wightman of industrial
machinery, which is often designed to withstand extreme heat and cold, dust,
and other brutal conditions where they're housed. "You can't really patch
it. You have to rely on the vendor to do the right thing when they set the
device up and when they install the OS. And the vendor really fell down on
this one."

The backdoor uses the login ID of "factory" and a password that's recovered
by plugging the MAC, or media access control, address of the targeted device
into a simple Perl script, according to this post published on Monday to the
Full Disclosure security list. To make unauthorized access easy, paying
customers of the Shodan computer search engine can find the IP numbers of
more than 60 networks that use the vulnerable equipment. The first thing
users who telnet into them see, as the picture above demonstrates, is its
MAC address.  [Long item truncated for RISKS.  PGN]

"Microsoft detects new malware targeting Apple computers"

Gene Wirchenko <>
Thu, 03 May 2012 10:22:08 -0700
  (Jeremy Kirk)

Jeremy Kirk, IDG News Service, *InfoWorld*, 2 May 2012
Users should be sure their Mac version of Office has up-to-date patches

  Microsoft has detected a new piece of malware targeting Apple OS X
  computers that exploits a vulnerability in the Office productivity suite
  patched nearly three years ago.  The malware is not widespread, wrote
  Jeong Wook Oh of Microsoft's Malware Protection Center. But it does show
  that hackers pay attention if it's found people do not apply patches as
  those fixes are released, putting their computers at a higher risk of
  becoming infected.

Data breaches in Massachusetts (Jenn Abelson)

Monty Solomon <>
Thu, 26 Apr 2012 11:19:13 -0400

Jenn Abelson, *The Boston Globe*, 24 Apr 2012
3.2 million people in Massachusetts have had data lost, stolen
4-year study shows consumers need more safeguards

Nearly half of Massachusetts residents have had their personal information
lost or stolen as a result of about 1,800 data breaches over the past four
years, according to a new report from the state's Office of Consumer Affairs
and Business Regulation. ...

Tiny memory card causes unusual trouble for police

Mark Brader
Thu, 3 May 2012 15:58:12 -0400 (EDT)

Last weekend at Mt. Woodside, BC, Canada, hang-gliding instructor pilot Jon
Orders was conducting a tandem training flight with student Lenami Godinez
when she fell to the ground and was killed.  The accident is under

The hang glider was equipped with a digital camera that might well show what
happened, but police currently do not have access to the images because
Orders *swallowed the memory card*.  Authorities say he has been X-rayed and
the card is confirmed to be in his digestive system.  On a CTV News report I
saw last night, they pointed out that the card used by this camera is much
smaller than those of older models—about the size of my thumbnail.

Facing charges of obstruction of justice, Orders has been ordered held
without bail until the card emerges.

Mark Brader, Toronto, | "Fast, cheap, good: choose any two."

  [One swallow does a plumber make, unless it's an Obstruction of Just-Us,
  don't Bust-Us...  PGN]

Thwarting the Cleverest Attackers (Larry Hardesty)

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 4 May 2012 11:18:17 -0400

Larry Hardesty, *MIT News*, 1 May 2012

The threat of side-channel attacks is growing with the expanding popularity
of cloud computing, and a general strategy for ameliorating such attacks was
recently posted by Massachusetts Institute of Technology (MIT) researchers
on the Web site of the Electronic Colloquium on Computational Complexity.
The technique masks a computer program's computational details by converting
a given computation into a sequence of smaller computational modules.  Data
entered within the first module is encrypted and never decrypted during
execution, and then the first module's still-encrypted output is fed to the
second module, which encrypts it differently, and so on.  The final module's
output is the same output of the original computation, but the operations
performed by the individual modules are completely different.  Although the
instruction that inaugurates a new module is identical to the instruction
that concluded the last one, the modules are executed on different servers
on a network.  MIT professor Shafi Goldwasser says this method could thwart
attacks on private information as well as on devices that shield proprietary
algorithms to prevent reverse-engineering.

How to Muddy Your Tracks on the Internet (Kate Murphy)

Monty Solomon <>
Thu, 3 May 2012 19:45:33 -0400

Kate Murphy, *The New York Times*, 3 May 2012

Legal and technology researchers estimate that it would take about a month
for Internet users to read the privacy policies of all the Web sites they
visit in a year. So in the interest of time, here is the deal: You know that
dream where you suddenly realize you're stark naked? You're living it
whenever you open your browser.

There are no secrets online. That emotional e-mail you sent to your ex, the
illness you searched for in a fit of hypochondria, those hours spent
watching kitten videos (you can take that as a euphemism if the kitten fits)
- can all be gathered to create a defining profile of you.

Your information can then be stored, analyzed, indexed and sold as a
commodity to data brokers who in turn might sell it to advertisers,
employers, health insurers or credit rating agencies.

And while it's probably impossible to cloak your online activities fully,
you can take steps to do the technological equivalent of throwing on a pair
of boxers and a T-shirt. Some of these measures are quite easy and many are
free. Of course, the more effort and money you expend, the more concealed
you are. The trick is to find the right balance between cost, convenience
and privacy. ...

"Canadians hit by bogus Microsoft Help calls"

Gene Wirchenko <>
Fri, 04 May 2012 11:21:04 -0700
Canadians hit by bogus Microsoft Help calls
Here's how you can protect yourself against this scam.
5/3/2012 11:13:00 AM By: ITBusiness Staff

"Bad stats sink cyber crime costs claims" (Bill Snyder)

Gene Wirchenko <>
Thu, 19 Apr 2012 13:14:07 -0700

Bill Snyder, InfoWorld, 19 Apr 2012 [PGN-ed]
Microsoft researchers find that estimates of damages caused by cyber
crime are wildly inflated—and increase the danger

If you follow computer security and have a good memory, you might remember a
story from early 2009 that claimed cyber crime costs businesses as much as
$1 trillion in just one year—that's "trillion" with a "t." The version I
saw was by Cnet writer Elinor Mills, whom I've always considered quite
reliable. Somehow, her reporter's BS detector didn't go off, and she
regurgitated that wild assertion by McAfee, a company that makes a living
selling security products and services.

I had forgotten about that story until I came across a study by two
Microsoft researchers who took the trouble to look hard at the facts behind
the cyber crime scare stories, which persist to this day. Their paper, with
the appealingly sensational title of "Sex, Lies and Cybercrime Surveys," is
a rigorous debunking of the wildly inflated claims spread by security
companies, law enforcement, and credulous journalisI had forgotten about
that story until I came across a study by two Microsoft researchers who took
the trouble to look hard at the facts behind the cyber crime scare stories,
which persist to this day. Their paper, with the appealingly sensational
title of "Sex, Lies and Cybercrime Surveys," is a rigorous debunking of the
wildly inflated claims spread by security companies, law enforcement, and
credulous journalists.  I don't mean to pick on McAfee or Mills, but as I've
written more than once, neither IT nor the public benefit from security
scare stories.  Indeed, the more security companies cry wolf, the less
likely it is that well-founded warnings will be heeded.

Consider how much money we're talking about when McAfee claims that
cyber crime costs $1 trillion a year. The requested federal defense
budget for the United States for fiscal year 2013 is just (!) $525.4
billion. The total profits derived from the global trade in illegal
drugs were pegged at $600 billion by the International Monetary Fund in

Is cyber crime really a bigger source of revenue than the drug trade?
Hard to believe.

Enter Dinei Florencio and Cormac Herley, the authors of the Microsoft
study, who say, "One recent estimate placed annual direct consumer
losses [from cyber crime] at $114 billion worldwide. It turns out,
however, that such widely circulated cyber crime estimates are generated
using absurdly bad statistical methods, making them wholly unreliable."

You'll notice that the figure they call wholly unreliable is just
one-tenth the size of the McAfee assertion.

The researchers make the point that most estimates of damage are reached
via surveys. Using surveys seems like a good strategy until you realize
that researchers start with what appears to be a hard number provided by
respondents, then extrapolate to a larger population: "Suppose we asked
5,000 people to report their cyber crime losses, which we will then
extrapolate over a population of 200 million. Every dollar claimed gets
multiplied by 40,000. A single individual who falsely claims $25,000 in
losses adds a spurious $1 billion to the estimate. And because no one
can claim negative losses, the error can't be canceled" through
averaging, as happens somewhat when people choose from ranges.

They go on to say the cyber crime surveys they've examined "exhibit
exactly this pattern of enormous, unverified outliers dominating the
data. In some, 90 percent of the estimate appears to come from the
answers of one or two individuals," Florencio and Herley state. [...]

  [See Snyder's url for the rest of the story and references.  PGN]

DiscoverCard stores passwords in plaintext, e-mails them on request

Gregory Marton <>
Sun, 29 Apr 2012 23:14:26 -0400

I just had the misfortune of mistyping my password four
times.  Now locked out, I had to get an agent on a chat session.  She
verified only my e-mail address (verifying that it was the one on file), and
immediately caused a message to be sent to that address with my password in
plain text.

I pointed out to her the RISK: that were that e-mail compromised, e.g. even
by someone looking over my shoulder, they'd have my password, and that if I
happened to use similar passwords on other sites then the attacker would
potentially get access to multiple accounts.  She got this and agreed to
lodge a complaint, but she wondered how they could do better.

Hasn't it been the industry standard for a very long time now to send a
rapidly expiring reset link?  I even think discovercard did that in the
past.  Is there reason to move *away* from hashed passwords and reset links
to plaintext?  Perhaps too many people forget and use recovery options each

I forgot to ask if the agent could see the password.  That would be another

Gregory A. Marton 617-858-0775

"iPad in the enterprise: prepare for guerilla tactics"

Gene Wirchenko <>
Wed, 02 May 2012 08:20:12 -0700
iPad in the enterprise: prepare for guerilla tactics
IT departments have to stay ahead of the curve to deal with rogues
bringing in the iPad
5/1/2012 2:14:00 PM By: Tom Kaneshige

Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover

Geoff Kuenning <>
Wed, 18 Apr 2012 23:47:55 -0700
  (Schaefer, RISKS-26.79)

  [Backref fixed in archive copy.  PGN]

> Who would have guessed that this would happen - high-tech security is
> getting so good at border crossings that it can actually catch spies.

I just have to laugh.  For all of history, governments have worked on the
principle that they could do with impunity what they prevented their
citizens from doing.  Usually, we have agreed that such actions were
appropriate and moral (e.g., imprisoning criminals), but there has always
been a tradition of overstepping bounds.  Now, eagerly embraced technology
has made it more difficult to dodge repression.  And I'll bet that no
government, my own included, foresaw that the very tools they were deploying
to control their own population would also prevent them from freely
misbehaving when they chose to do so.

Geoff Kuenning

Re: Airline pilot distracted by new text messages (Flacy, R-26.80)

Peter Bernard Ladkin <>
Thu, 26 Apr 2012 21:06:45 +0200

Monty Solomon forwarded to RISKS an article by a certain Mike Flacy in
Digital Trends, who misreports a landing incident with a Jetstar A320 at
Singapore Changi.

Flacy's main claim is flat wrong: the phone incident and the landing gear
selection are separate events. The title of the story in Risks is also
wrong: the captain, whose phone was involved, was the Pilot Not Flying
(PNF), so he didn't "botch the landing". The short report is at

The phone incident concerned beeping from the reception of text messages,
and occurred about three minutes from anticipated landing. The PF called for
a missed-approach target altitude of 5,000 ft to be set in the
automation. The PNF missed that call, and told the investigators it was
because he was turning off his phone so as not to be distracted by further

The crew did not execute the landing checklist, and were not in a stabilised
approach at 1,000 ft as per company procedures. They were warned by the
aircraft systems that the gear was not down at about a minute before
anticipated landing, some two minutes after the phone incident. The pilot
flying (PF), the First Officer, prepared at that point to go around; the PNF
lowered the gear and put in more flaps. Neither of them communicated their
intent to the other about these contradictory actions.

The ATSB says that the crew failed to execute proper procedures, and also
failed to communicate effectively with each other, during their approach to
landing, a flight phase which takes place over a number of minutes. The
progress of the flight during approach to landing merits 20 paragraphs and 7
paragraph-size footnotes on about three pages. The phone incident merits
just two of those, about 140 words. The other nine-tenths of the description
details all the other things that did not go as they should have.

RISKS readers may judge for themselves why Flacy chose to mislead his
readers. Me, I am fed up of people writing crap about commercial aviation
incidents but I guess it is not going to stop soon.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

Harvard and M.I.T. Team Up to Offer Free Online Courses (Tamar Lewin)

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 4 May 2012 11:18:17 -0400

Tamar Lewin, *The New York Times*, 2 May 2012

Harvard University and the Massachusetts Institute of Technology (MIT)
announced a plan to offer free massively open online courses under their edX
partnership.  Overseeing edX will be a nonprofit organization that Harvard
and MIT will govern equally, and each school has pledged $30 million to the
initiative.  EdX's inaugural president will be Anant Agarwal, director of
MIT's Computer Science and Artificial Intelligence Laboratory, while
Harvard's contribution will be supervised by provost Alan M. Garber.
University officials say the new online platform would be used to research
educational technologies and methods as well as to build a global community
of online students.  Included in the edX project will be engineering courses
and humanities courses, in which crowdsourcing or software may be used to
grade essays.  Harvard Corporation's Lawrence S. Bacow says education
technology currently lacks "an online platform that gives faculty the
capacity to customize the content of their own highly interactive courses."
The edX effort faces competition from similar partnerships between Stanford,
Princeton, the University of Pennsylvania, the University of Michigan, and
Coursera.  The rapid evolution of online education technology is such that
those in the new ventures say the courses are still in an experimental

Re: Harvard Library open access? (RISKS-26.80)

"Jurek Kirakowski" <>
Thu, 26 Apr 2012 13:24:09 +0100

The Harvard Library initiative is in the air all right. Less influential
centres of learning usually let everyone else do the running - other
universities, HEA, funders e.g. EPSRC insisting that publicly funded
research be available on open access.

See UK projects in this direction:

And examples of directories:

The problem then becomes one of managing the information and data, making it
findable and accessible, tracking impact and ensuring its long term

Kuali OLE
Huddersfield University.

The RISK is that the infrastructure to manage, evaluate, and preserve the
flow of publication information that regular publishers have built up over
the years is sidelined, and although many readers of these columns may well
feel that nothing could possibly go wrong with keeping all one's information
digitally forever, let me remind you that we still have Sumerian clay
tablets from around 3000 BCE but that their memory sticks do not seem to
have survived :-)#

Jurek Kirakowski

Re: "Did first DDOS attack sink the Titanic?" (Ardley, RISKS-26.80)

Scott Dorsey <>
Mon, 30 Apr 2012 11:20:23 -0400

> The industry has yet to design a resilient call response system that can
> handle peak overloads while still attending to routine but life critical
> calls.

Not at all.  The AUTOVON system was specifically designed with that in mind.
Civilian systems don't prioritize calls and have failures when too many
stations are placing calls simultaneously because it's not cost effective to
make them robust.

Workshop on the Economics of Information Security WEIS 2012

Jeremy Epstein <>
Fri, 4 May 2012 08:45:56 -0400

11th Workshop on the Economics of Information Security (WEIS),
Berlin, Germany, 25-26 June 2012

  Early Registration 31 May 2012

The Workshop on the Economics of Information Security (WEIS) is the leading
forum for interdisciplinary scholarship on information security and privacy,
combining expertise from the fields of economics, social science, business,
law, policy, and computer science. Prior workshops have explored the role of
incentives between attackers and defenders of information systems,
identified market failures surrounding Internet security, quantified risks
of personal data disclosure, and assessed investments in cyber-defense. The
2012 workshop builds on past efforts using empirical and analytic tools not
only to understand threats, but also to strengthen security and privacy
through novel evaluations of available solutions.

We encourage economists, computer scientists, legal scholars, business school
researchers, security and privacy specialists, as well as industry experts to
participate by attending the workshop.

Topics covered by the accepted research papers include:

- Optimal investment in information security
- Models and analysis of online crime
- Risk management and cyber-insurance
- Security standards and regulation
- Cyber-security policy
- Security models and metrics
- Economics of privacy and anonymity
- Behavioral security and privacy
- Vulnerability discovery, disclosure, and patching
- Cyber-defense strategy and game theory
- Incentives for information sharing and cooperation


Information security legends Ross Anderson and Bruce Schneier, both
co-founders of the workshop, review "10 Years WEIS" in a special session.
The workshop also features a panel discussion on the relation between privacy
economics and privacy policy, and a rump session, which is open for every
participant to briefly present work-in-progress or industry best practices.

The full program is available online:

Please report problems with the web pages to the maintainer