The RISKS Digest
Volume 26 Issue 86

Wednesday, 30th May 2012

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Patient Died at New York VA Hospital After Alarm Was Ignored
Ornstein/Weber via Monty Solomon
Driverless cars
Martyn Thomas
Delta overcharges some fliers because of computer glitch
Monty Solomon
Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4
Tobin Maginnis
"Customers irked by Quickbooks Online outage"
Chris Kanaracus via Gene Wirchenko
Vint Cerf warns Web freedom is under attack
Lauren Weinstein
Utility network protection? No.
PGN
Bogus story: no Chinese backdoor in military chip
Errata Security via Lauren Weinstein
RSA [In]SecureID software token
Ben Moore
The Axis of Weevil?
PGN
Researchers Propose Way to Thwart Fraudulent Digital Certificates
Brian Prince
"iCloud user tracks down iPhone thief using photo stream"
Karen Haslam via Gene Wirchenko
Web billing biz ransacked, smashed offline by hacktivists
John Leyden via Monty Solomon
"New Trojan empties online customers' bank accounts"
Gene Wirchenko
Thailand convicts Webmaster for posted site comments
Fuller/Drew via Lauren Weinstein
New York Legislation Would Ban Anonymous Online Speech
Lauren Weinstein
UK surveillance program could expose private lives
Lauren Weinstein
Internet Voting Still Faces Hurdles in U.S.
ACM Tech News
IBM Outlaws Siri, Worried She Has Loose Lips
Robert McMillan via Monty Solomon
"Should you care that Siri is taking notes?"
Ted Samson via Gene Wirchenko
Re: Never Trust a Robot
Jane Hesketh
Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone
Dag-Erling Smørgrav
Re: Illuminating dialog with a scammer
Alister William Macintyre
Info on RISKS (comp.risks)

Patient Died at New York VA Hospital After Alarm Was Ignored

Monty Solomon <monty@roscom.com>
Fri, 25 May 2012 22:32:36 -0400
  (Ornstein/Weber)

Patient Died at New York VA Hospital After Alarm Was Ignored

Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012

Registered nurses at a Manhattan Veterans Affairs hospital failed to notice
a patient had become disconnected from a cardiac monitor until after his
heart had stopped and he could not be revived, according to a report Monday
from the VA inspector general.

The incident from last June was the second such death at the hospital
involving a patient connected to a monitor in a six-month period. The first,
along with two earlier deaths at a Denver VA hospital, raised questions
about nursing competency in the VA system, ProPublica reported last month.

The deaths also prompted a broader review of skills and training of VA
nurses. Only half of 29 VA facilities surveyed by the inspector general in a
recent report had adequately documented that their nurses had skills to
perform their duties. Even though some nurses "did not demonstrate
competency in one or more required skills," the government report stated,
there was no evidence of retraining. ...

http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored


Driverless cars

Martyn Thomas <martyn@thomas-associates.co.uk>
Tue, 29 May 2012 15:36:26 +0100

http://www.bbc.co.uk/news/technology-18248841

A convoy of self-driven cars has completed a 200km (125-mile) journey on a
Spanish motorway, in the first public test of such vehicles.  ... The cars
are fitted with special features such as cameras, radar and laser sensors -
allowing the vehicle to monitor the lead vehicle and also other vehicles in
their immediate vicinity. Using wireless communication, the vehicles in the
platoon "mimic" the lead vehicle using autonomous control - accelerating,
braking and turning in exactly the same way as the leader.  The vehicles
drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft).

People think that autonomous driving is science fiction, but the fact is
that the technology is already here. From the purely conceptual viewpoint,
it works fine and road train will be around in one form or another in the
future," says Ms Wahlstroem.  "We've focused really hard on changing as
little as possible in existing systems. Everything should function without
any infrastructure changes to the roads or expensive additional components
in the cars.  Apart from the software developed as part of the project, it
is really only the wireless network installed between the cars that set them
apart from other cars available in showrooms today."

The project aims to herald a new age of relaxed driving.  According to
Volvo, drivers "can now work on their laptops, read a book or sit back and
enjoy a relaxed lunch" while driving.

What could possibly go wrong ...?

  [See Peter Houppermans's item in RISKS-26.83.  PGN]


Delta overcharges some fliers because of computer glitch

Monty Solomon <monty@roscom.com>
Sat, 19 May 2012 01:23:39 -0400
  (Nancy Trejos)

Nancy Trejos, *USA Today*, 15 May 2012

Delta Air Lines says a computer glitch caused inconsistencies in airfares
between fliers who were logged into the airline's website and those who were
not.  Delta spokesman Paul Skrbec told *Today in the Sky* that fares were
higher for some passengers and lower for others. The carrier has not yet
determined how many customers were affected, he said.

Minneapolis' WCCO first reported on the discrepancies after business
executives Patrick Smith and Steve Lisle, who happened to be booking flights
side-by-side from Minneapolis to St. Louis a few weeks ago, were given two
different prices for an economy seat. Lisle was not logged into his SkyMiles
account and was offered a ticket for $300 less. ...

http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1

2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies
May 15, 2012
http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/


Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4

"Tobin Maginnis" <ptm@pix.cs.olemiss.edu>
May 30, 2012 9:07 AM

  [From David Farber's IP distribution.  PGN]

Your readers may like to see this Japanese documentary report on Fukushima
Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom
to view English translation) that lays out how if supports fail in one
building it can precipitate a world-wide radio-active contamination event.

At 23:00: Shin-ichi Sano, Author:

The world had not choice but to pay attention.

Q: People have said that we must gather expertises from around the world in
order to solve the current problem. Regarding Fukushima, this has to
happen, don't you think?

A: Indeed. As you say, there is no time for silly arguments. If anything
happens, this is not just about the end of Japan, probably start of the end
of the world. I would like them to realize that we are in such crisis
situation.

A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4
http://www.youtube.com/watch?v=zuxFQewzPjk#
Published on May 29, 2012 by Goldieluvmj

IP Archives: https://www.listbox.com/member/archive/247/=now


"Customers irked by Quickbooks Online outage"

Gene Wirchenko <genew@ocis.net>
Mon, 28 May 2012 10:30:52 -0700

Chris Kanaracus, *IT Business*, 25 May 2012
Intuit says it has restored all customers, but angry sentiments linger.
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640

Intuit's Quickbook on-demand accounting system was switched over to its
backup center to maintain continuity of service with continued data
replication, while upgrading the primary system to fix a detected
performance problem.  However, during this process, an unspecified error
introduced a `synchronization gap', requiring both the primary and backup
systems to be taken off-line.  5700 customers were reportedly affected, with
varying degrees of delay and difficulty.  [PGN-ed]


Vint Cerf warns Web freedom is under attack

Lauren Weinstein <lauren@vortex.com>
Mon, 21 May 2012 09:54:11 -0700

  "Father of the Internet" Vint Cerf on Monday warned that Internet freedom
  is under threat from governments around the world, including the United
  States.  Cerf, a computer scientist who was instrumental in the Internet's
  creation, now employed by Google as its "Internet evangelist," said
  officials in the United States, United Kingdom and Europe are using
  intellectual property and cybersecurity issues "as an excuse for
  constraining what we can and can't do on the 'net."  http://j.mp/KFXskP
  (The Hill)


Utility network protection? No.

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 24 May 2012 6:14:08 PDT

  [Thanks to Gene Spafford.  PGN]

http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks

One argument in favor of regulation because companies won't do it themselves.


Bogus story: no Chinese backdoor in military chip

Lauren Weinstein <lauren@vortex.com>
May 28, 2012 9:24:44 PM PDT

http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html>
 (Errata Security)

"Today's big news is that researchers have found proof of Chinese
manufacturers putting backdoors in American chips that the military uses.
This is false.  While they did find a backdoor in a popular FPGA chip, there
is no evidence the Chinese put it there, or even that it was intentionally
malicious."

  [I agree with this article's analysis.  The original story was
  cyber-scaremongering.  LW]

    [See a lengthy blog item, Bogus story: no Chinese backdoor in military
    chip.  PGN]
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html


RSA [In]SecureID software token

"Ben Moore" <ben.moore@juno.com>
Thu, 24 May 2012 16:02:56 GMT

The folks at RSA are at it again. SensePost's blog discussed how to derive
the device serial number of RSA's Windows SecureID software token.

"...the device serial number is dependent on the system's host name and
current user's windows security identifier (SID). An attacker, with access
to these values, can easily calculate the target token's device serial
number and bypass the [RSA SecureID] protection."
http://www.sensepost.com/blog/7045.html


The Axis of Weevil?

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 24 May 2012 12:04:06 PDT

Yahoo! today released its Axis extension for Chrome—and accidentally
leaked its private security key that could allow anyone to create malicious
plugins masquerading as official Yahoo! software

http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/
  [Thanks to Phil Porras.  PGN]

There are signs that the Axis release was just a *bit* rushed.  Users have
found chunks of the development environment in the released code, and Yahoo
appears to have accidentally included their *private* crypto signing key as
well:
  http://j.mp/Jpgmw2   (Google+)

And their Terms of Service link at the moment leads to a placeholder:
  http://j.mp/JpfKX8  (Google+)
    [Thanks to Lauren Weinstein.  PGN]


Researchers Propose Way to Thwart Fraudulent Digital Certificates

ACM TechNews <technews@HQ.ACM.ORG>
Wed, 30 May 2012 11:24:58 -0400

Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012]

Security researchers Moxie Marlinspike and Trevor Perrin say an extension to
the transport layer security (TLS) protocol could help address spoofing
attacks on the Secure Sockets Layer certificate ecosystem.  They have
proposed an approach called Trust Assertions for Certificate Keys (TACK),
which enables a Web site to sign its TLS server's public keys with a TACK
key.  Clients can pin a hostname to the TACK key without requiring sites to
make changes to their existing certificate chains or limiting their ability
to deploy different certificate chains on different servers or change
certificate chains at any time.  Marlinspike and Perrin note that inside the
TACK is a public key and signature.  "Once a client has seen the same
[hostname, TACK public key] pair multiple times, the client will 'activate'
a pin between the hostname and TACK key for a period equal to the length of
time the pair has been observed for," the researchers say.  "This 'pin
activation' process limits the impact of bad pins resulting from transient
network attacks or operator error."  The browser will reject the session and
alert the user when it comes across a fraudulent certificate on a pinned
site.
http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/


"iCloud user tracks down iPhone thief using photo stream"

Gene Wirchenko <genew@ocis.net>
Fri, 25 May 2012 09:48:29 -0700
  (Karen Haslam)

http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617
Karen Haslam, *IT Business*, 24 May 2012
Stolen iPhone beams back photos, displayed in Facebook album


Web billing biz ransacked, smashed offline by hacktivists

Monty Solomon <monty@roscom.com>
Wed, 23 May 2012 19:38:40 -0400
  (John Leyden)

WHMCS calls the Feds after credit-card megaleak
John Leyden, 22 May 2012

WHMCS, which provides billing and customer support tech to many web hosts,
was comprehensively hacked on Monday and remains offline.

Hackers tricked WHMCS's own hosting firm into handing over admin credentials
to its servers. The group that carried out the hack, UGNazi, subsequently
extracted the billing company's database before deleting files, essentially
trashing the server and leaving services unavailable in the process. The
compromised server hosted WHCMS's main website and supported customers'
installations of its technology.

UGNazi also gained access to WHMCS's Twitter account, which it used to
publicise a series of posts on Pastebin that contained links to locations
from which the billing firm's customer records and other sensitive data
might be downloaded. A total of 500,000 records, including customer credit
card details, were leaked as a result of the hack. ...

http://www.theregister.co.uk/2012/05/22/whmcs_breach/

Hacker group UGNazi leaks and deletes billing service's database

The group used social engineering to access WHMCS's customer
database, then leaked 500,000 records online
May 22, 2012
http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867

Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users'
Passwords And Credit Cards
May 22, 2012
http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/


"New Trojan empties online customers' bank accounts"

Gene Wirchenko <genew@ocis.net>
Wed, 23 May 2012 09:51:44 -0700

Antone Gonsalves, The Tatanga Trojan was first spotted by German banks,
cybersecurity firm Trusteer says.  *IT Business*, 22 May 2012
  http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572


Thailand convicts Webmaster for posted site comments

Lauren Weinstein <lauren@vortex.com>
Wed, 30 May 2012 08:29:55 -0700

  Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012
  "Google and human rights groups reacted strongly on Wednesday to a Thai
  court's decision to convict the webmaster of an Internet message board for
  comments posted by users that insulted the Thai royal family."
  http://j.mp/KwEzjC

Unfortunately, an entirely predictable development. Ultimately, governments
want to control Internet content. They vary in their approaches and degrees,
but free expression of the sort the Internet enables, fundamentally
undermines traditional information control regimes.

  [Unblessed be the Thai that blinds.  PGN]


New York Legislation Would Ban Anonymous Online Speech

Lauren Weinstein <lauren@vortex.com>
Tue, 22 May 2012 13:27:13 -0700

  Did you hear the one about New York state lawmakers who forgot about the
  First Amendment in the name of combating cyberbullying and "baseless
  political attacks"?  Proposed legislation in both chambers would require
  New York-based websites, such as blogs and newspapers, to "remove any
  comments posted on his or her website by an anonymous poster unless such
  anonymous poster agrees to attach his or her name to the post." ...
  David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX

Probability that the legislators involved are opportunists and/or clueless?
  = 100%

Probability that such legislation could pass Constitutional muster? = 0%

Infuriating that they even waste time on this nonsense.


UK surveillance program could expose private lives (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Fri, 18 May 2012 10:38:37 -0700

  "British officials have given their word: "We won't read your emails."
  But experts say the government's proposed new surveillance program will
  gather so much data that spooks won't have to read your messages to guess
  what you're up to."  http://j.mp/LeF0dS  (AP / Quad City Times)

The seriously disingenuous aspect of Kane's comments is his equating
government collection of mass header and traffic analysis data on an
involuntary basis—with voluntary usage of Web-based services.  Trying to
equate the two in the privacy realm is fundamentally dishonest.


Internet Voting Still Faces Hurdles in U.S.

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 25 May 2012 11:18:19 -0400

More than two dozen states will accept some form of electronic or faxed
ballots in the U.S. 2012 elections, according to the Verified Voting
Foundation.  However, computer security experts contend that any system can
be hacked or manipulated, which poses a big threat to online voting systems.
"You have computer systems such as those of Google, the Pentagon, and
Facebook, which have all fallen victim to intrusion," notes University of
Michigan computer scientist J. Alex Halderman.  Meanwhile, other countries
are moving forward with Internet voting plans.  For example, French citizens
living abroad this year will be able to vote on the Internet in a
parliamentary election.  In Estonia, a record 25 percent of voters cast
Internet ballots in 2011.  In the United States, election officials are
examining the costs of the technology while struggling with how to make
voting more accessible, says Ohio deputy election administrator Matt
Masterson.  He notes online voting can help boost participation and address
the issue of voters who cannot get to a polling station.  The U.S. National
Institute of Standards and Technology recently concluded that Internet
voting systems cannot currently be audited with a comparable level of
confidence in the audit results as those for polling stations.  [Agence
France-Presse, 24 May 2012]
  http://www.turkishpress.com/news.asp?id=382334


IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan)

Monty Solomon <monty@roscom.com>
Tue, 22 May 2012 21:18:40 -0400

Robert McMillan, 22 May 2012

If you work for IBM, you can bring your iPhone to work, but forget about
using the phone's voice-activated digital assistant. Siri isn't welcome on
Big Blue's networks.

The reason? Siri ships everything you say to her to a big data center in
Maiden, North Carolina. And the story of what really happens to all of your
Siri-launched searches, e-mail messages and inappropriate jokes is a bit of
a black box.

IBM CIO Jeanette Horan told MIT's Technology Review this week that her
company has banned Siri outright because, according to the magazine, "The
company worries that the spoken queries might be stored somewhere."

It turns out that Horan is right to worry. In fact, Apple's iPhone Software
License Agreement spells this out: "When you use Siri or Dictation, the
things you say will be recorded and sent to Apple in order to convert what
you say into text," Apple says. Siri collects a bunch of other information -
names of people from your address book and other unspecified user data, all
to help Siri do a better job.

How long does Apple store all of this stuff, and who gets a look at it?
Well, the company doesn't actually say. Again, from the user agreement: "By
using Siri or Dictation, you agree and consent to Apple's and its
subsidiaries' and agents' transmission, collection, maintenance, processing,
and use of this information, including your voice input and User Data, to
provide and improve Siri, Dictation, and other Apple products and services."

Because some of the data that Siri collects can be very personal, the
American Civil Liberties Union put out a warning about Siri just a couple of
months ago. ...

http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/

Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too
By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am)
https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml


"Should you care that Siri is taking notes?" (Ted Samson)

Gene Wirchenko <genew@ocis.net>
Fri, 25 May 2012 09:24:25 -0700

Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012
Should you care that Siri is taking notes?
IBM blocks Siri on networked devices even as it acknowledges it sees
no threat in Apple capturing voice commands from users
http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136

opening paragraph:

If you ask Siri, the iPhone's voice-controlled personal assistant, to
schedule a sales meeting with a potential new client at a restaurant across
town, Siri will dutifully carry out your command (barring any service
hiccups)—and send that information to server farm in North Carolina to be
converted into text and saved. That revelation has bubbled up in the tech
world after IBM CIO Jeanette Horan recently told MIT's Technology Review
that Big Blue blocks Siri on employees' iOS devices because Apple stores
potentially sensitive voice-inputted data.


Re: Never Trust a Robot (RISKS-26.83)

Jane Hesketh <>
Sat, 19 May 2012 12:10:31 +0100

As a cruising sailor of some years experience, I'd like to point out that
there is a simpler explanation for the sad accident than the one where
experienced sailors fail to use electronic charts sensibly.

The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6
knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash
speeds.  People sailing or motoring at this speed try to take the quickest
course. If there is an obstruction, common practice is to set a GPS waypoint
close to it (good) or even on it (bad) with an alarm, so that on reaching it
you are prompted to change course to go round.  These alarms aren't loud,
they're only intended to alert someone in the cockpit, not wake the whole
boat. If there is only one person on watch, and they fail to respond and
change course, depending on the boat's electronic systems it is entirely
possible that it will just keep going on the current course. If the crew
member on watch has fallen overboard, maybe trying to fix a problem or (if
male) is relieving himself over the side and loses his balance - a
depressingly common occurrence - that is what will happen. Reports say the
middle-aged male skipper was found separate from the others.  Unless the
rest of the crew are alerted quickly, the casualty is left behind and the
boat sails on potentially unsupervised.

In this scenario there are still RISKS of course. Firstly making it easy to
have a single point of failure. Technology helps people sail more
short-handed than was once the case. The racing yachts would more likely
have a number of people active on board, who would notice if someone fell
off and hear an alert even one crew member down. Secondly technology's
inability to operate beyond the world it is designed for, to recognise when
it is outside its competence.


Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83)

Dag-Erling Smørgrav <des@des.no>
Tue, 29 May 2012 12:31:33 +0200

> http://www.youtube.com/watch?v=IFe9wiDfb0E

That link doesn't seem to work any more.
  [It does.  I failed to delete two extra `3D' strings that your mail system
  coerces. Now fixed.  PGN]

Here's the original:
  http://www.tomscott.com/life/

I should have probably have provided a summary: the video is an artist's
impression of what you'd see if your consciousness was uploaded to silicon
upon your death.  It includes a sequence where the system edits the
subject's memories to remove all occurrences of copyrighted works because
the subject's estate can't afford the $19,000 monthly licensing fee.


Re: Illuminating dialog with a scammer

"Al Mac Wow = Alister William Macintyre" <macwheel99@wowway.com>
Mon, 28 May 2012 15:09:58 -0500

There are several variations on this phone call phishing, which I think is a
great risk to unsophisticated PC users.  I have had several calls where I
suspect this criminal underworld now has a data base of info they elicited
from me in prior scam calls, to try to refine their technique.

They now know I have two PCs in my house, and can tell me which one they are
calling about.

Internet Storm Center (ISC of SANS) is now tracking those Phishing phone
calls, in Indian accent, which say they are from Microsoft Support, or some
such variation. If you get one, you can now add your experiences to their
statistics.

https://isc.sans.edu/reportfakecall.html

Please report problems with the web pages to the maintainer

x
Top