The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 02

Sunday 18 April 2010

Contents

BofA insider to plead guilty to hacking ATMs
Robert McMillan via PGN
RFID zapper made from a disposable camera!
Eurekalert
FDA Toughens Process for Radiation Equipment
Walt Bogdanich
Labour attacked over mailshot to cancer patients
via Ross Anderson
apache.org hacked
Jidanni
China disrupts the Internet again
Robert McMillan
Is your security policy smarter than a 3rd grader?
Jeremy Epstein
Small policy violations add up
Jeremy Epstein
Israel confiscates visiting iPads
via Monty Solomon
Re: Canada's planned electronic passports easy to hack?
Adam Laurie
EU project may monitor airline passengers' conversations
Lauren Weinstein
Is it risky to make Hannah Montana tickets expensive?
Jeremy Epstein
Unintended consequence of water conservation: bursting pipes
Danny Burstein
Re: ... circumventing Bayesian filters
John Levine
Jonathan Kamens
Re: YOUR SAT NAV IS WRONG - GO BACK!
Dag-Erling Smørgrav
GPS jamming - request for information
Martyn Thomas
Retracting my observation of the USPS CofA
FJohn Reinke
New Book: Cryptography Engineering
Bruce Schneier
Info on RISKS (comp.risks)

BofA insider to plead guilty to hacking ATMs

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 12 Apr 2010 21:03:51 PDT

Rodney Reed Caverly, a Bank of America computer specialist who had developed
and maintained ATM (and other) software, has been charged with computer
fraud.  In 2009, he reportedly was able to get ATMs to dispense cash while
bypassing the audit trail that would record his transactions.  The maximum
sentence would be five years in prison.  [Source: Robert McMillan, *Computer
World*, 7 Apr 2010; PGN-ed]
http://www.computerworld.com/s/article/9174991/BofA_insider_to_plead_guilty_to_hacking_ATMs

  [Highly relevant to this item is a forthcoming book, *Insider Threats in
  Cyber Security and Beyond*, edited by Christian Probst, Jeffrey Hunker,
  Dieter Gollmann, and Matt Bishop, which has just gone to press at Springer
  Verlag.  It includes a chapter I wrote that specifically considers the
  potential roles of insider misuse in computer-related election systems.  A
  table at the end summarizes a few cases of insider misuse that have
  appeared in RISKS over the years.  The burgeoning incidence of insider
  misuse cases should be an alarm for people who believe in the integrity of
  existing paperless (and essentially unauditable) computer-based systems.]


RFID zapper made from a disposable camera! (Eurekalert)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 15 Apr 2010 14:04:21 PDT

  [Thanks to Ken Nitz.  PGN]

  Safer swiping while voting and globetrotting: Tel Aviv University security
  expert finds security holes in America's passports and 'smart cards'
http://www.eurekalert.org/multimedia/pub/21697.php?from=158414

Since 2007, every new U.S. passport has been outfitted with a computer
chip. Embedded in the back cover of the passport, the "e-passport" contains
biometric data, electronic fingerprints and pictures of the holder, and a
wireless radio frequency identification (RFID) transmitter.

Although the system was designed to operate at close range, hackers were
able to access it from afar --- until research by Prof. Avishai Wool of Tel
Aviv University's School of Electrical Engineering helped ensure that the
computer chip in American e-passports could be read only when the passport
is opened. The research has been cited by organizations including the
Electronic Frontier Foundation.   [Corrected affiliation in archives.  PGN]

Now, a new study from Prof. Wool finds serious security drawbacks in similar
chips that are being embedded in credit, debit and "smart" cards. The
vulnerabilities of this electronic approach -- and the vulnerability of the
private information contained in the chips -- are becoming more acute. Using
simple devices constructed from $20 disposable cameras and copper
cooking-gas pipes, Prof. Wool and his students have demonstrated how easily
the cards' radio frequency (RF) signals can be disrupted. The work will be
presented at the IEEE RFID conference in Orlando, FL, this month.

More than one way to hack a chip

Prof. Wool's most recent research centers on the new "e-voting" technology
being implemented in Israel. "We show how the Israeli government's new
system based on the RFID chip is a very risky approach for security
reasons. It allows hackers who are not much more than amateurs to break the
system," Prof. Wool explains. "One way to catch hackers, criminals and
terrorists is by thinking like one."

http://www.eurekalert.org/multimedia/pub/21698.php?from=158414

In his lab, Prof. Wool constructed an attack mechanism ---- an RFID
"zapper"-- from a disposable camera. Replacing the camera's bulb with an
RFID antenna, he showed how the EMP (electro-magnetic pulse) signal produced
by the camera could destroy the data on nearby RFID chips such as ballots,
credit cards or passports. "In a voting system, this would be the equivalent
of burning ballots -- but without the fire and smoke," he says.

Another attack involves jamming the radio frequencies that read the
card. Though the card's transmissions are designed to be read by antennae no
more than two feet distant, Prof. Wool and his students demonstrated how the
transmissions can be jammed by a battery-powered transmitter 20 yards
away. This means that an attacker can disable an entire voting station from
across the street. Similarly, a terror group could "jam" passport systems at
U.S. border controls relatively easily, he suggests.

The most insidious type of attack is the "relay attack." In this scenario,
the voting station assumes it is communicating with an RFID ballot near it
-- but it's easy for a hacker or terrorist to make equipment that can trick
it. Such an attack can be used to transfer votes from party to party and
nullify votes to undesired parties, Prof.  Wool demonstrates. A relay attack
may also be used to allow a terrorist to cross a border using someone else's
e-passport.

How to make "smart cards" smarter

"All the new technologies we have now seem really cool. But when anything
like this first comes onto the market, it will be fraught with security
holes," Prof. Wool warns. "In America the Federal government poured a lot of
money into e-voting, only to discover later that the deployed systems were
vulnerable. Over the last few years we've seen a trend back towards systems
with paper trails as a result."

But there are some small steps that can be taken to make smart cards
smarter, says Prof. Wool. The easiest one is to shield the card with
something as simple as aluminium foil to insulate the e-transmission. In the
case of e-voting, a ballot box could be made of conductive materials. The
State Department has already taken Prof. Wool's advice: since 2007, they've
also added conductive fibres to the back of every American passport.


FDA Toughens Process for Radiation Equipment (Walt Bogdanich)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 9 Apr 2010 21:24:53 PDT

Problems with computer software were most frequently cited as a cause for
the errors, according to letter sent Thursday by Dr. Jeffrey Shuren,
director of the agency's Center for Devices and Radiological Health.  He
said that the agency's analysis “revealed device problems that appear to be
the result of faulty design or use error that could be mitigated by the
incorporation of additional safeguards.”  [Source: Walt Bogdanich, *The New
York Times*, 9 Apr 2019; PGN-ed TNX to dkross]
  http://www.nytimes.com/2010/04/09/health/policy/09radiation.html


Labour attacked over mailshot to cancer patients

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 11 Apr 2010 13:29:39 PDT

  "The Conservatives and the Liberal Democrats have attacked the Labour
  Party for sending "alarmist" literature to cancer patients, and called for
  an inquiry into whether NHS databases had been used to identify
  recipients.  The row erupted after Labour sent cancer patients mailshots
  saying that their lives may be at risk under a Conservative government."

[Source: Article by Chris Hastings, Maurice Chittenden and Nyta Mann,
(London) *Times Online*, 11 Apr 2010; Noted by Ross Anderson]
http://www.timesonline.co.uk/tol/life_and_style/health/article7094604.ece#cid=OTC-RSS&attr=797084


apache.org hacked

<jidanni@jidanni.org>
Sun, 18 Apr 2010 06:55:10 +0800

"Leave it to big organizations to allow something this massive to occur
un-noticed. It's why we have the stupid PCI standards we have today that do
nothing but take the time out of businesses that always played by the
security rules while the big guys were careless. There's a lot of blame and
fingerpointing from who-ever wrote this but all the blame and fingerpointing
should be pointing right at Apache. This attack had nothing to do with
Linux, Slicehost, or whatever else is thrown in to tell a story. Who doesn't
block brute force attacks in 2010? Who doesn't use real password encryption?
Its mindblowing, but im not surprised the big guys always make a muck of
things and then the little guys are stuck dealing with the aftermath."
  https://blogs.apache.org/infra/entry/apache_org_04_09_2010#comments


China disrupts the Internet again

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 9 Apr 2010 5:16:57 PDT

[Source: Robert McMillan, IDG News Service, 8 Apr 2010; Noted by Jeremy
Epstein, with the comment, `BGPsec value demonstrated again'.  PGN-ed]
http://www.networkworld.com/news/2010/040810-a-chinese-isp-momentarily-hijacks.html

For the second time in two weeks, bad networking information spreading from
China disrupted the Internet (for about 20 minutes).  On 8 Apr 2010, bad
routing data from a small Chinese ISP called IDC China Telecommunication was
re-transmitted by China's state-owned China Telecommunications, and then
spread around the Internet, affecting Internet service providers such as
AT&T, Level3, Deutsche Telekom, Qwest Communications and Telefonica.  During
that time IDC China Telecommunication transmitted bad routing information
for between 32,000 and 37,000 networks, redirecting them to IDC China
Telecommunication instead of their rightful owners.  These networks included
about 8,000 U.S. networks including those operated by Dell, CNN, Starbucks
and Apple. More than 8,500 Chinese networks, 1,100 in Australia and 230 owned
by France Telecom were also affected. [...]


Is your security policy smarter than a 3rd grader?

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 16 Apr 2010 11:21:55 -0400

In Fairfax County Virginia, a 9-year-old boy was caught accessing the
Blackboard account of Dr. Jack Dale, superintendent of schools.  Initial
reports were that he "hacked" the system, but the real answer came out:

(1) He got a teacher's password - perhaps it was on a yellow sticky, but
    that's not been described.
(2) He logged in as the teacher.
(3) The security policy allowed him to add a "student" to the class - in
    this case, Superintendent Jack Dale.
(4) The security policy allows him to change the password of any student in
    the class - again, Jack Dale.
(5) He logged in as Jack Dale.

Each of these policies makes sense individually, but when put together, the
result was.... surprising!

http://www.washingtonpost.com/wp-dyn/content/article/2010/04/14/AR2010041404159.html
(Original article says the student "hacked" the system and got administrator
privileges)
http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html
(Says that there was no hacking, and outlines the above sequence of steps)


Small policy violations add up

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sun, 11 Apr 2010 08:17:21 -0400

An Israeli soldier is being accused of leaking 2000 classified documents to
a reporter.  That in itself isn't relevant to RISKS (nor is the contents of
the classified documents), but *how* she got the documents out is relevant
-- several "minor" policy violations that combined allowed a major leak.
First, on orders from her commanding general, she moved documents from a
classified system which did not allow printing to an unclassified system so
she could print the documents at the general's request.  Second, the IT
department, at her request, disabled the controls that prevented access to
external media, thus allowing her to write to removable media (I assume a
CD-ROM or similar).  Third, the system designed to detect improper actions
(e.g., leaks) was not yet enabled.

Risks?  In a system with multiple layers of control, we can get complacent
about individual controls operating correctly, and the controls fail.

http://www.haaretz.com/hasen/spages/1161826.html


Israel confiscates visiting iPads

Monty Solomon <monty@roscom.com>
Thu, 15 Apr 2010 23:31:34 -0400

http://www.theregister.co.uk/2010/04/14/ipad_banned_in_israel/
http://www.haaretz.com/hasen/spages/1162992.html


Re: Canada's planned electronic passports easy to hack? (Kruk, 26.01)

Adam Laurie <adam@algroup.co.uk>
Mon, 12 Apr 2010 11:34:11 +0100

> In one of his more famous demonstrations, Laurie in 2008 created a passport
> for Elvis Presley, and scanned the document at an automated passport scanner
> in an airport in Amsterdam. ...

Actually, the Elvis stunt was performed by Jeroen van Beek, although we do
regularly work on such things together...

  http://www.dexlab.nl/epassports.html

We later performed an even more fun trick at the same Amsterdam location, in
which he presented an off-the-shelf USB RFID reader to the passport
verification system, and it relayed a passport I was holding to a similar
reader in the UK, using a mobile phone data link. In other words, the
Amsterdam system believed it had been presented with a passport that was not
even in the country at the time. This technique also defeats all the new
security measures such as active authentication etc., as it is using a
genuine passport, albeit it one that is somewhere else at the time...

Adam Laurie, Suite 117, 61 Victoria Road, Surbiton, Surrey KT6 4JX
http://rfidiot.org  +44 (0) 20 7993 2690


EU project may monitor airline passengers' conversations

<privacy@vortex.com>
Thu, 8 Apr 2010 22:52:19 -0700

EU project may monitor airline passengers' conversations
  http://bit.ly/biUxXQ  (The MoveChannel.com)

Whatever you do, don't tell your seatmate that the in-flight movie is a
"bomb!"   Lauren Weinstein


Is it risky to make Hannah Montana tickets expensive?

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 9 Apr 2010 14:28:31 -0400

*The Washington Post* is reporting that a team of Bulgarian programmers
developed a system that buys tickets from Ticketmaster as soon as they go on
sale, allowing their US-based partners to then resell the tickets at higher
prices.  The group, which calls themselves Wiseguys, has software that can
handle the CAPTCHAs, avoids maxing out credit cards, and makes deliberate
"mistakes" in typing to avoid getting caught by the Ticketmaster system.

Is this illegal or just clever programming?  They're not being charged with
scalping the tickets (which isn't a federal crime, but is in many states and
localities)., but with conspiracy, wire fraud and computer crimes
("fraudulent misrepresentation and computer hacking" according to the
indictment).  There's no claim that they did what is currently known as
"hacking" (i.e., breaking into computer systems), but actually is more akin
to what was once known as hacking, namely coming up with clever solutions to
a problem (in this case, purchasing tickets online).

Initially, I thought this was a clear risk that having online systems for
selling tickets makes it easier for scalpers to corner the market than in
the old days where the systems were closed and you had to purchase on the
telephone or in person at a ticket office.  But as I thought more about it,
I realized that having Hannah Montana (*) tickets priced through the
stratosphere is a major advantage for those of us with pre-teenage daughters
- it's easy to tell them that $500 is too much for a ticket, but harder to
make the argument at $50.

http://www.washingtonpost.com/wp-dyn/content/article/2010/04/08/AR2010040805594.html?hpid=moreheadlines
Indictment at http://www.washingtonpost.com/wp-srv/metro/documents/wiseguys022310.pdf

(*) Hannah Montana is a so-called entertainer who appeals exclusively
to pre-teenage girls.


Unintended consequence of water conservation: bursting pipes

danny burstein <dannyb@panix.com>
Wed, 14 Apr 2010 18:00:30 -0400 (EDT)

  Various areas around Los Angeles have had an increasing number of water
  pipes breaking.  Some folk are suggesting that... the water restrictions
  in the area (no lawn watering, etc.) are leading to higher pipe pressures,
  causing more and more failures.

A blue-ribbon panel of scientists said Tuesday that the high-volume water
main breaks that bedeviled Los Angeles last summer and fall were caused in
part by the city's restrictions on lawn watering, and their findings could
force the city to remake its strict water conservation policy.

The city last June limited the use of lawn sprinklers to Mondays and
Thursdays, and those restrictions have proved highly successful.  Officials
said Tuesday that in February, Los Angeles had its lowest recorded water use
in 31 years.

But the water conservation policy was too much for the city's aging network
of cast-iron iron pipes, causing fluctuations in water pressure that
strained them to the bursting point...

[Source: LA Times, 14 Apr 2010]
http://www.latimes.com/news/local/la-me-water-mains14-2010apr14,0,7323987.story

  The story as reported is short on many of the details that I'd have liked
  to see, such as a 24-hour time line of the pipe breaks (water use is lower
  at night, pressure goes up).

    [Although this is not particularly RISKS-related, it is illustrative of
    policy decisions that have implementation implications.  PGN]


Re: ... circumventing Bayesian filters (Kamens, RISKS-26.01)

John Levine <johnl@iecc.com>
9 Apr 2010 03:08:10 -0000

Those are called hash busters or, occasionally, word salad, and they've been
a well known spammer trick since about 2002.

Hash busters have been around so long that it's more amazing that your
package can't deal with them.  SpamAssassin has had ways to keep hash
busters out of the bayesian filters at least since version 3.0 in
2004.  Modern spam filters deal with them so well that spammers rarely
bother with them any more.

There must be a bad pun lurking here along the lines of reinventing
the salad spinner.


Re: ... circumventing Bayesian filters (Levine, RISKS-26.02)

Jonathan Kamens <jik@kamens.brookline.ma.us>
Fri, 09 Apr 2010 06:43:47 -0400

> Responding to John Levine:
> Those are called hash busters or, occasionally, word salad, and
> they've been a well known spammer trick since about 2002.

That may be, but as far as I can tell, there is something different about
their newest incarnation that makes them orders of magnitude (and yes, I
know what "order of magnitude" means and mean it literally) more effective
than anything that has come before.

One of the things I've always loved about Bayesian filters like bogofilter
is their simplicity and elegance, their "purity," if you will.

Filters like SpamAssassin apply a large number of rules to incoming email
messages.  Each rule is of the form, "Based on this rule, how likely is it
that this message is spam?"  The scores from all the rules are added
together, and if the result exceeds a preset threshold, the message is
considered spam.

That's a perfectly fine way of doing things, but the weights and scores tend
to be quite arbitrary, and users and developers can end up spending a lot of
time tweaking the various rules and their weights to arrive at an effective
configuration.

In contrast, a Bayesian filter like bogofilter has just one rule -- a
mathematical formula based on the tokens in each message and the frequency
with which those tokens have appeared in spam and "ham" messages in the
past.

I am charmed by that simplicity and straightforwardness, as well as by the
fact that a Bayesian filter has been able to achieve >98% accuracy for me
for most of the time I've been using it.

Having said that, to successfully combat the most recent iteration of spam,
I've had to compromise my principles a bit and apply a couple of rules to my
incoming email for the first time by using a preprocessor called
"spamitarium" written by Tom Anderson.  You can read more about it at
<http://stuff.mit.edu/~jik/software/bogofilter-milter/#spamitarium
<http://stuff.mit.edu/%7Ejik/software/bogofilter-milter/#spamitarium>>.
That page also documents the rest of my antispam configuration, for those
who are curious.


Re: YOUR SAT NAV IS WRONG - GO BACK! (Jidanni, RISKS-26.01)

Dag-Erling Smørgrav <des@des.no>
Fri, 09 Apr 2010 12:17:19 +0200

The real issue here is that most satnav systems default to "shortest route",
which is almost *never* what the user actually wants.

I recently bought a car with a built-in satnav system which not only
defaults to "shortest route" but, adding insult to injury, reverts to the
default setting when you enter a new destination...

On a related note: in Norway, you can deduct your daily commute from your
taxable income, at a fixed rate per kilometer, if it exceeds a certain
threshold.  In addition, under certain conditions, medically justified
travel expenses are refundable.  However, these deductions or refunds are
not based on the route you actually travel, but on the shortest route
reported by a specific (gov't-run) online map service.  I know of at least
one case (a specific specialized hospital outside Oslo) where the
gov't-approved shortest route involves a highway off-ramp that no longer
exists and a forest path.


GPS jamming - request for information (notsp)

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 16 Apr 2010 09:28:47 +0100

I'm currently leading a study by the UK Royal Academy of information into
GPS (and more generally GNSS) usage and vulnerabilities.

It's clear that the current GPS signal is easy to jam (and that it is jammed
quite often for criminal and counter-criminal purposes), so one might
predict that this would become more frequent as the incentives increase.

I understand that GPS is used for road tolls in the Netherlands and in
Germany (for lorries). If this is true, is there any evidence that it has
led to jamming? If it has, what consequences have there been?

Thanks for any help, on or off list.  [PREFERABLE OFF LIST, hoping that
  Martyn will summarize the interesting responses -- if relevant.  PGN]

Martyn Thomas CBE FREng <martyn@thomas-associates.co.uk>


Retracting my observation of the USPS CofA (RISKS-26.01)

fjohn reinke <fjohn@reinke.cc>
Thu, 8 Apr 2010 17:57:02 -0400

With the assistance of Jonathan Kamens, he and I went through the steps and
urls. It appears that somehow, I wound up on a sleazy third party site,
looking like USPS, offering CofA services. I don't think I did it.  We can't
see any advertising that I could have misclicked on. There's nothing in the
history that gives me a clue. I didn't have a key logger active and perhaps
my memory is not as good as it I think it is. Argh!  So for the time being,
I'll retract my critique with apologies to all.  I'm still interested in if
the CofA goes thru. Thanks to my new acquaintance Jonathan Kamens, I've
learned to be EVEN more skeptical and wary than I have been.


New Book: Cryptography Engineering

Bruce Schneier <schneier@SCHNEIER.COM>
Thu, 15 Apr 2010 00:05:51 -0500

  [Excerpted from Bruce's CRYPTO-GRAM, 15 Apr 2010.  PGN]

I have a new book, sort of.  Cryptography Engineering is really the second
edition of Practical Cryptography.  Niels Ferguson and I wrote Practical
Cryptography in 2003.  Tadayoshi Kohno did most of the update work -- and
added exercises to make it more suitable as a textbook -- and is the third
author on Cryptography Engineering.  (I didn't like it that Wiley changed
the title; I think it's too close to Ross Anderson's excellent Security
Engineering.)

Cryptography Engineering is a techie book; it's for practitioners who are
implementing cryptography or for people who want to learn more about the
nitty-gritty of how cryptography works and what the implementation pitfalls
are.  If you've already bought Practical Cryptography, there's no need to
upgrade unless you're actually using it.

Here's what's new: We revised the introductory materials in Chapter 1 to
help readers better understand the broader context for computer security,
with some explicit exercises to help readers develop a security mindset.  We
updated the discussion of AES in Chapter 3; rather than speculating on
algebraic attacks, we now talk about the recent successful (theoretical, not
practical) attacks against AES.  Chapter 4 used to recommended using
nonce-based encryption schemes.  We now find these schemes problematic, and
instead recommend randomized encryption schemes, like CBC mode.  We updated
the discussion of hash functions in Chapter 5; we discuss new results
against MD5 and SHA1, and allude to the new SHA3 candidates (but say it's
too early to start using the SHA3 candidates).  In Chapter 6, we no longer
talk about UMAC, and instead talk about CMAC and GMAC.  We revised Chapters
8 and 15 to talk about some recent implementation issue to be aware of.  For
example, we now talk about the cold boot attacks and challenges for
generating randomness in VMs.  In Chapter 19, we discuss online certificate
verification.

Signed copies are available.  See the bottom of the book's webpage for
details.

http://www.schneier.com/book-ce.html

Please report problems with the web pages to the maintainer

Top