The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 18

Saturday 2 October 2010

Contents

DC Internet voting trial intermediate results
Jeremy Epstein
Cyberwar Chief Calls for Secure Network
Tom Shanker via Gabe Goldberg
Cross-site scripting bug leads to massive Twitter worm attacks
Lauren Weinstein
Lone $4.1 Billion Sale Led to 'Flash Crash' in May
Graham Bowley via Monty Solomon
Failure of recovery time - Virgin Blue
Jared Gottlieb
Some Android apps caught covertly sending GPS data to advertisers
Ryan Paul via Monty Solomon
You can no longer rely on encryption to protect a BlackBerry
Martin Heller via Monty Solomon
Code That Tracks Users' Browsing Prompts Lawsuits
Gabe Goldberg
Facebook Outage blamed on handling of error condition
Robert Johnson via Jim Reisert
User interface modification: Titanic risk
Lee Rudolph
Robbers sweep in and siphon up money with vacuum cleaner
Michael Rosa
Fresh ACS:Law file-sharing lists expose thousands more
Daniel Emery via Gene Wirchenko
Risks of UEFI replacement for BIOS in PCs
Nick Brown
Show's Title, in Symbols, Defies DVR users
Monty Solomon
Re: Malicious e-mail with executable pdf
Danny Burstein
Re: A Strong Password Isn't the Strongest Security
Raj Mathur
Info on RISKS (comp.risks)

DC Internet voting trial intermediate results

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 1 Oct 2010 18:50:32 -0400

For many years, computer scientists have warned that Internet voting is not
a good idea - it's too vulnerable to all sorts of attacks, whether against
the voter's workstation, the network infrastructure, or the server - not to
mention usability, accessibility, and interoperability issues.  The District
of Columbia is, against advice from many computer scientists, pursuing a
trial of a prototype system for the November election.  To their credit,
they've made the source code and some design documentation available, along
with an open server with "get out of jail free" permissions to hack during a
test period.

A brief timeline:

* Summer 2010: DC announces the pilot, with the open testing period to
  be in August
* Sep 20: DC releases a network map and requirements document; test
  server to be available Sep 24-30 [1]
* Sep 24: Common Cause and Verified Voting write to Mary Cheh, chair
  of the DC Council oversight committee on elections, suggesting that
  Internet voting appears to violate DC law due to lack of
  voter-verifiable ballot [2]
* Sep 24: 13 prominent computer scientists and lawyers write to Mary
  Cheh, pointing out numerous difficulties with the test program [3]
* Sep 24: Test server availability delayed for an undefined time
* Sep 28: Test server available, source code availability announced
  publicly; test period to run through Oct 06 at 5pm
* Sep 30 morning: After casting a "vote" on the test server, the
  browser plays the Univ of Michigan fight song
* Oct 01 afternoon: DC takes the test server down, citing "usability issues"

It's unclear when the test period will resume, if it all.  It's also not
clear at this point the extent of the compromise of the system.  While it's
true that the DC BoEE can fix whatever problems allowed introduction of the
"fight song", it's also clear that this is the tip of the iceberg - we know
from 30 years of experience that the "penetrate and patch" method doesn't
produce secure systems.

The RISK?  Ignoring the advice of computer scientists and charging
full steam ahead on a technology project doesn't work!

[1] The DC BoEE site for this experiment can be found at
    http://www.dcboee.us/DVM/
[2] http://voices.washingtonpost.com/debonis/Common_Cause_letter_to_BOEE.pdf
[3] http://voices.washingtonpost.com/debonis/CS_letter_to_Cheh.pdf


Cyberwar Chief Calls for Secure Network

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Sep 2010 16:44:07 -0400

The new commander of the military's cyberwarfare operations is advocating
the creation of a separate, secure computer network to protect civilian
government agencies and critical industries like the nation's power grid
against attacks mounted over the Internet.  The officer, Gen. Keith
B. Alexander, suggested that such a heavily restricted network would allow
the government to impose greater protections for the nation's vital,
official on-line operations. General Alexander labeled the new network "a
secure zone, a protected zone."  Others have nicknamed it "dot-secure."  It
would provide to essential networks like those that tie together the
banking, aviation, and public utility systems the kind of protection that
the military has built around secret military and diplomatic communications
networks --- although even these are not completely invulnerable.  [...]
  [Source: Thom Shanker, *The New York Times*, 23 Sep 2010]
  http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&th&emc=th

Gabriel Goldberg, Computers and Publishing, Inc.          (703) 204-0433
3401 Silver Maple Place, Falls Church, VA 22042        gabe@gabegold.com

  [Also noted by Matthew Kruk.  PGN]


Cross-site scripting bug leads to massive Twitter worm attacks

Lauren Weinstein <lauren@vortex.com>
Tue, 21 Sep 2010 10:54:32 -0700

Cross-site scripting bug leads to massive Twitter worm attacks
http://bit.ly/a3kgvi  (Kaspersky Lab) [From NNSquad]


Lone $4.1 Billion Sale Led to 'Flash Crash' in May (Graham Bowley)

Monty Solomon <monty@roscom.com>
Fri, 1 Oct 2010 21:44:12 -0400

Graham Bowley, *The New York Times*, 1 Oct 2010

It was a stock market mystery that had everyone guessing for months: just
what caused that harrowing flash crash last May?

On Friday, after months of investigation and speculation, federal
authorities finally provided the answer: it all began with the click of a
computer mouse in Kansas.

In a long-awaited report on one of wildest days in Wall Street's history,
regulators said that the automated sale of a large block of futures by a
mutual fund - not named in the report, but identified by officials as
Waddell & Reed Financial, of Overland Park, Kan. - touched off a chain
reaction of events on May 6. The Dow Jones industrial average plunged more
than 600 points in a matter of minutes that day and then recovered in a
blink.

The finger-pointing and speculation that followed - Were high-speed traders
behind it? A rogue computer program? Financial terrorists? - captivated Wall
Street. But in the report released on Friday, the authorities said they
found no evidence of market manipulation.  Instead, the temporary crash
resulted from a confluence of forces after a single fund company tried to
hedge its stock market investment position legitimately, albeit in an
aggressive and abrupt manner.

The mutual fund started a program at about 2:32 p.m. on May 6 to sell $4.1
billion of futures contracts, using a computer sell algorithm that over the
next 20 minutes dumped 75,000 contracts onto the market, even automatically
accelerating its selling as prices plunged.

The regulators hope the report lifts the uncertainty that has hung over the
nation's exchanges - and investors' minds - since the crash.  Certainly,
officials at the Securities and Exchange Commission and the Commodity
Futures Trading Commission seemed confident they had established the causes
of the crash and answered any final doubts, and the findings were welcomed
by some in the markets.

But it also left lingering questions among many who felt it did not explain
why the crash took place on that particular day in May, or provide any
assurance that this could not occur again. ...

http://www.nytimes.com/2010/10/02/business/02flash.html


Failure of recovery time - Virgin Blue

jared gottlieb <jared@netspace.net.au>
Mon, 27 Sep 2010 12:11:30 -0600

The risk is when computer 'recovery time' stretches out, compounded by the
business' recovery time thereafter.  This incident occurred at a peak time
of school holidays and as fans were leaving Melbourne after the (almost)
Australian Rules Football Grand Final. (Almost because the result was a draw
and the teams play again this next weekend.)  Melbourne 'The Age' newspaper
http://www.theage.com.au/travel/passengers-still-waiting-on-virgin-20100927-15u4j.html

"Virgin Blue has blamed the company it contracted to run its reservations
system for the nationwide flight chaos since Sunday morning [26.9.10]. It
took nearly 24 hours to get a back-up system running. The agreement with the
company, Navitaire, requires ''mission-critical'' systems to be recovered in
two hours.The delay has angered Virgin Blue almost as much as its stranded
passengers, some of whom bunkered down for a second night away from home at
the airline's expense."

"The Age believes Virgin Blue is reviewing its contract with the company, a
subsidiary of global outsourcing giant Accenture.  Yesterday afternoon
Virgin Blue received a preliminary explanation from Navitaire as to why
computers in its Sydney data centre, which run the airline's internet
booking, reservations, check-in and boarding systems, failed about 8am on
Sunday. At 5am yesterday, Virgin Blue said the computer system was working
again, but facing a huge backlog. Navitaire identified that a computer
server's solid- state drive had failed, and an ''initial decision to seek to
repair the device proved less than fruitful and also contributed to the
delay in initiating a cut-over to a contingency hardware platform'', the
airline said. A spokeswoman for Accenture added on behalf of Navitaire: 'We
obviously did detailed testing prior to putting the system back on line.'"

"Navitaire boasts its outsourced aviation systems 'let your business run
like clockwork'. That's not how some passengers described it. The effects
are still being felt: yesterday the airline had to cancel 17 flights. It is
not taking any new bookings for flights leaving before Thursday, frustrating
football fans wanting to organise flights to Melbourne for the AFL grand
final rematch."


Some Android apps caught covertly sending GPS data to advertisers

Monty Solomon <monty@roscom.com>
Thu, 30 Sep 2010 18:15:58 -0400
  (Ryan Paul)

Ryan Paul, *Arstechnica*, 30 Sep 2010

The results of a study conducted by researchers from Duke University, Penn
State University, and Intel Labs have revealed that a significant number of
popular Android applications transmit private user data to advertising
networks without explicitly asking or informing the user. The researchers
developed a piece of software called TaintDroid that uses dynamic taint
analysis to detect and report when applications are sending potentially
sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected
at random from the Android market and found that half were sending private
information to advertising servers, including the user's location and phone
number. In some cases, they found that applications were relaying GPS
coordinates to remote advertising network servers as frequently as every 30
seconds, even when not displaying advertisements. These findings raise
concern about the extent to which mobile platforms can insulate users from
unwanted invasions of privacy. ...

http://arstechnica.com/security/news/2010/09/some-android-apps-found-to-covertly-send-gps-data-to-advertisers.ars


You can no longer rely on encryption to protect a BlackBerry

Monty Solomon <monty@roscom.com>
Fri, 1 Oct 2010 15:47:31 -0400

You can no longer rely on encryption to protect a BlackBerry A Russian
passcode-breaker firm exploits a weakness in RIM's encryption to crack open
backups

Martin Heller, *InfoWorld*, 1 Oct 2010
http://www.infoworld.com/t/mobile-device-management/you-can-no-longer-rely-encryption-protect-blackberry-436


"Code That Tracks Users' Browsing Prompts Lawsuits"

Gabe Goldberg <gabe@gabegold.com>
Mon, 20 Sep 2010 23:16:36 -0400

Sandra Person Burns used to love browsing and shopping online. Until she
realized she was being tracked by software on her computer that she thought
she had erased.  Ms. Person Burns, 67, a retired health care executive who
lives in Jackson, Miss., said she is wary of online shopping: "Instead of
going to Amazon, I'm going to the local bookstore."  Ms. Person Burns is one
of a growing number of consumers who are taking legal action against
companies that track computer users' activity on the Internet. At issue is a
little-known piece of computer code placed on hard drives by the Flash
program from Adobe when users watch videos on popular Web sites like YouTube
and Hulu.
  http://www.nytimes.com/2010/09/21/technology/

Firefox add-on BetterPrivacy (not mentioned in the article!) to the rescue.

Gabriel Goldberg, Computers and Publishing, Inc.  (703) 204-0433
3401 Silver Maple Place, Falls Church, VA 22042   gabe@gabegold.com


Facebook Outage blamed on handling of error condition

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 24 Sep 2010 06:58:13 -0600

I'm impressed by the detailed description of the failure.  I wonder how many
people on FB actually understand any of this?

http://www.facebook.com/note.php?note_id=431441338919&id=9445547199

More Details on Today's Outage
by Robert Johnson on Thursday, September 23, 2010 at 6:29pm

Early today Facebook was down or unreachable for many of you for
approximately 2.5 hours. This is the worst outage we've had in over four
years, and we wanted to first of all apologize for it. We also wanted to
provide much more technical detail on what happened and share one big lesson
learned.

The key flaw that caused this outage to be so severe was an unfortunate
handling of an error condition. An automated system for verifying
configuration values ended up causing much more damage than it fixed.

The intent of the automated system is to check for configuration values that
are invalid in the cache and replace them with updated values from the
persistent store. This works well for a transient problem with the cache,
but it doesn't work when the persistent store is invalid.

Today we made a change to the persistent copy of a configuration value that
was interpreted as invalid. This meant that every single client saw the
invalid value and attempted to fix it. Because the fix involves making a
query to a cluster of databases, that cluster was quickly overwhelmed by
hundreds of thousands of queries a second.

To make matters worse, every time a client got an error attempting to query
one of the databases it interpreted it as an invalid value, and deleted the
corresponding cache key. This meant that even after the original problem had
been fixed, the stream of queries continued. As long as the databases failed
to service some of the requests, they were causing even more requests to
themselves. We had entered a feedback loop that didn't allow the databases
to recover.

The way to stop the feedback cycle was quite painful - we had to stop all
traffic to this database cluster, which meant turning off the site.  Once
the databases had recovered and the root cause had been fixed, we slowly
allowed more people back onto the site.

This got the site back up and running today, and for now we've turned off
the system that attempts to correct configuration values. We're exploring
new designs for this configuration system following design patterns of other
systems at Facebook that deal more gracefully with feedback loops and
transient spikes.

We apologize again for the site outage, and we want you to know that we take
the performance and reliability of Facebook very seriously.

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


User interface modification: Titanic risk

Lee Rudolph
Thu, 23 Sep 2010 22:03:36 -0400 (EDT)

http://www.bbc.co.uk/news/uk-northern-ireland-11390144

  Confusion about steering orders was responsible for the Titanic sinking,
  according to a relative of one of the ship's officers. ...  Mrs Patten
  said the tragedy had occurred during a period when shipping communications
  were in transition from sail to steam.  Two different systems were in
  operation at the time, Rudder Orders (used for steam ships) and Tiller
  Orders (used for sailing ships).  Crucially, Mrs Patten said, the two
  steering systems were the complete opposite of one another, so a command
  to turn 'hard a-starboard' meant turn the wheel right under one system and
  left under the other.  She said when the helmsman, who had been trained in
  sail, received the direction, he turned the vessel towards the iceberg
  with tragic results. ...  [Of course it is not computer-relevant <!>, but
  it is certainly RISKS-relevant!  Similar events have been computer
  related.  PGN]


Robbers sweep in and siphon up money with vacuum cleaner

"Michael Rosa" <MRosa@workcover.com>
Wed, 29 Sep 2010 16:52:10 +0930

Burglars broke into their latest store near Paris and drilled a hole in the
pneumatic tube that siphons money from the checkout to the strong-room.
[Slightly retitled by Pneumanntic.]
  http://www.thesun.co.uk/sol/homepage/news/3149962/Robbers-clean-up-with-vacuum.html


Fresh ACS:Law file-sharing lists expose thousands more

Gene Wirchenko <genew@ocis.net>
Fri, 01 Oct 2010 13:32:53 -0700

The personal details of a further 8,000 people alleged to have shared music
or films illegally have appeared online.  A list of more than 8,000 Sky
broadband subscribers and a second of 400 PlusNet users surfaced following a
security breach of legal firm ACS:Law.  It comes after a database of more
than 5,000 people suspected of downloading adult films emerged on Monday.
The UK's Information Commissioner said ACS:Law could be fined up to half a
million pounds for the breaches.  The two new lists, produced by ACS:Law,
contain the names, addresses and Internet addresses (IP addresses) of users
suspected of illegally sharing music.  "In relation to the individual names,
these are just the names and addresses of the account owner and we make no
claims that they themselves were sharing the files."  Mr Crossley said he
had no further comment when asked why the Excel documents was unencrypted,
but said he had notified the police, the ICO and was in communication with
the SRA.  [Source: Daniel Emery, BBC News, 28 Sep 2010]
  http://www.bbc.co.uk/news/technology-11425789


Risks of UEFI replacement for BIOS in PCs

"Nick Brown" <Nick.BROWN@coe.int>
Fri, 1 Oct 2010 19:11:12 +0200

A BBC article (http://www.bbc.co.uk/news/technology-11430069) reports on the
ongoing introduction of Unified Extensible Firmware Interface, a replacement
for the vintage BIOS boot architecture which has been used in most PCs for
nearly 30 years.  A particular highlight:

> Before now, said Mr Doran, getting [large numbers of PCs in a corporate
> environment] working has been "pretty painful" because of the limited
> capabilities of Bios.  By contrast, he said, UEFI has much better support
> for basic net protocols - which should mean that remote management is
> easier from the "bare metal" upwards.

So, we're going to have half a billion PCs, presumably running protocols
with the power of TFTP or above, and with block-level access to every
storage device in the system.  What could possibly go wrong?


Show's Title, in Symbols, Defies DVR users (Brian Stelter)

Monty Solomon <monty@roscom.com>
Sat, 25 Sep 2010 23:17:32 -0400

[Source: Brian Stelter, Show's Title, in Symbols, Defies DVRs, *The New York
Times*, 22 Sep 2010]

CBS knew that when it ordered a sitcom with a vulgar word in the title, it
would get attention. The network also knew there would be some hand-wringing
about the coarseness of popular culture.

Here's what the network did not know: that the title would trip up some
digital video recorders.  It turns out that the search tools on some DVRs
cannot find the new show, `$#*! My Dad Says', because the symbols cannot be
read. (Maybe some DVR developers could not foresee a world where TV shows
would have a dollar sign in the titles.) Before the show's premiere on
Thursday, CBS released a viewers' guide of sorts on Wednesday to help people
program their DVRs accordingly.

The case illustrates how some TV networks have embraced the DVR, though
tepidly. Despite the commercial-skipping abilities of the recording devices,
highly rated shows become even more so when DVR playback is included in the
Nielsen ratings that help determine prices for advertising time. About 38
percent of households now have DVRs, though the vast majority of programming
is still watched in real-time. ...

http://www.nytimes.com/2010/09/23/business/media/23dad.html


Re: Malicious e-mail with executable pdf

danny burstein <dannyb@panix.com>
Mon, 20 Sep 2010 20:53:16 -0400 (EDT)

And once again we're treated to a malware warning, make that a near
hysterical warning (especially the way it was covered by the mass media)
which leaves out a key point, namely which computer operating systems and
software packages are potentially affected.

When there's a safety concern with cars, there's no reluctance in
publicizing the brand name. Even when the company is a major advertiser.

Why do we see so much hesitation in computer issues?


Re: A Strong Password Isn't the Strongest Security

Raj Mathur <raju@linux-delhi.org>
Sat, 25 Sep 2010 09:33:59 +0530

There are at least three technologies that are mitigating the need to
remember multiple, complex passwords today:

OpenID is gaining popularity, and as more Internet-based services permit
OpenID authentication, the need for individual passwords will dramatically
decrease.  I hear Facebook is a recent addition to the OpenID fan club.

Biometric-based validation is now available for local authentication on many
new computers.  I don't really know how far technology has progressed with
standard, secure protocols for performing biometric authentication remotely,
but, unless there are insurmountable issues with security, surely that will
be available in the fullness of time.

Key- and certificate-based authentication has been around for ages, and
administrators of large numbers of Unix/Linux servers need no prompting to
start eulogising the benefits of SSH keys.  Generating self-signed
certificates is trivial, and for mundane authentication purposes (e.g., to
your e-mail account) there is no need to bring certificate authorities and
governments into the picture.

To sum up, what we seem to be suffering from is a surfeit of authentication
mechanisms.  I look forward to the day when one method (which may be a
combination of more than one technology above, or of technologies that I
haven't thought of) is as ubiquitous as password- based authentication was a
few decades back.

Aside: All the technologies listed have some potential issue or the other.
Whether it is a single point of failure or immaturity of the technology
involved, there is scope for abuse.  On the other hand, whether we will ever
see a time when absolute novices will be able to safely authenticate on the
Internet is a question that I, for one, would be loath to try to answer.

Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
PsyTrance & Chill: http://schizoid.in/

Please report problems with the web pages to the maintainer

Top