The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 23

Saturday 27 November 2010

Contents

NYCTA forging subway signal inspections
David Lesher
Failed hard disk stalls New Orleans real estate market
Andrew Klossner
Access-based cache attack on AES-128
Bangerter et al.
Wiseguys Plead Guilty in Ticketmaster Captcha Case
Jim Reisert
U.S. Shuts Down Web Sites in Piracy Crackdown
Ben Sisario via Monty Solomon
Deep Pockets have Deep Packets?
Steve Stecklow and Paul Sonne
Israeli army uses FaceBook to expose draft dodgers
Amos Shapir
U.S. may require jamming of cell phone use inside vehicles
Various
Passenger arrested for stripping down to underwear for TSA pat down
Peter Houppermans
Vermont law on drug data mining ruled unconstitutional
Danny Burstein
When will we learn that digital communication isn't private?
Tom Keane via Monty Solomon
Re: Massive Chinese Net Reroute Exposes Web's Achilles' Heel
Mike Andrews
Re: New study on adverse events in hospitals
Barbara Zanzig
Malware Analysts' Cookbook and DVD
Ligh et al. review by Richard Austin
Cyber Warmongering and Influence Peddling
Gary McGraw
Info on RISKS (comp.risks)

NYCTA forging subway signal inspections

David Lesher <wb8foz@panix.com>
Sat, 20 Nov 2010 00:10:36 -0500

NYC Transit supervisors falsified thousands of vital signal inspections
across the subway system for years, leaving straphangers at risk for deadly
collisions like the one that killed nine people in Washington, D.C., The
Post has learned.

Across every line in every borough, a cabal of managers in the signal
department forced maintainers to fib on the inspections by threatening them
with punishment like loss of overtime, according to a sweeping investigation
by the MTA Inspector General.

At least one high-level chief, Tracy Bowdwin—the MTA's highest earning
signal department supervisor at $165,000-a-year—was demoted in the
fallout, and managers are still being questioned, transit sources said.  ...
[Source: Heather Haddon, New York Post, 19 Nov 2010; PGN-ed]
<http://www.nypost.com/f/print/news/local/nyc_subway_signal_inspections_falsified_ZUVA7DheupaPwrjF5yoO4M>

  Need we discuss the risks of ignoring maintenance and inspections, to save
  money?


Failed hard disk stalls New Orleans real estate market

Andrew Klossner <andrew@cesa.opbu.xerox.com>
Wed, 24 Nov 2010 15:36:06 -0800

Because of a "failure in the hard drive," nobody in New Orleans has been
able to close a real estate transaction for over a month.  The contractor
responsible for making backups apparently didn't.

http://blog.nola.com/crime_impact/print.html?entry=/2010/11/computer_glitch_stalls_orleans.html


Access-based cache attack on AES-128

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 24 Nov 2010 13:50:25 PST

Endre Bangerter, David Gullasch, and Stephan Krenn
*Cache Games - Bringing Access Based Cache Attacks on AES to Practice*
Cryptology ePrint Archive: Report 2010/594
http://bit.ly/ev8KtA  (IACR)

Side channel attacks on cryptographic systems are attacks exploiting
information gained from physical implementations rather than utilizing
theoretical weaknesses of a scheme. In particular, during the last years,
major achievements were made for the class of access-driven
cache-attacks. The source of information leakage for such attacks are the
locations of memory accesses performed by a victim process.

In this paper we analyze the case of AES and present an attack which is
capable of recovering the full secret key in almost realtime for AES-128,
requiring only a very limited number of observed encryptions.  Unlike most
other attacks, ours neither needs to know the ciphertext, nor does it need
to know any information about the plaintext (such as its distribution,
etc.). Moreover, for the first time we also show how the plaintext can be
recovered without having access to the ciphertext.  Further, our spy process
can be run under an unprivileged user account.  It is the first working
attack for implementations using compressed tables, where it is not possible
to find out the beginning of AES rounds any more—a corner stone for all
efficient previous attacks. All results of our attack have been demonstrated
by a fully working implementation, and do not solely rely on theoretical
considerations or simulations.

A contribution of probably independent interest is a denial of service
attack on the scheduler of current Linux systems (CFS), which allows to
monitor memory accesses with novelly high precision. Finally, we give some
generalizations of our attack, and suggest some possible countermeasures
which would render our attack impossible.


Wiseguys Plead Guilty in Ticketmaster Captcha Case

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sun, 21 Nov 2010 19:38:23 -0700

http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/

I found the last sentence of this paragraph interesting:

"[The defendants] wrote a script that impersonated users trying to access
FaceBook, and downloaded hundreds of thousands of possible Captcha
challenges from reCaptcha, prosecutors maintained. They identified the file
ID of each Captcha challenge and created a database of Captcha `answers' to
correspond to each ID. The bot would then identify the file ID of a
challenge at Ticketmaster and feed back the corresponding answer. The bot
also mimicked human behavior by occasionally making mistakes in typing the
answer, authorities said."

Of course it's a risk to have "hundreds of thousands of possible Captcha
challenges" available, and be able to exploit them.  I find it
interesting that their software tried to behave "more human" to shield
itself from discovery.  Could the script have passed the Turing test?

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


U.S. Shuts Down Web Sites in Piracy Crackdown (Ben Sisario)

Monty Solomon <monty@roscom.com>
Sat, 27 Nov 2010 14:48:34 -0500

[Source: Ben Sisario, *The New York Times*, 27 Nov 2010]

In what appears to be the latest phase of a far-reaching federal crackdown
on online piracy of music and movies, the Web addresses of a number of sites
that facilitate illegal file-sharing were seized this week by Immigration
and Customs Enforcement, a division of the Department of Homeland Security.

By Friday morning, visiting the addresses of a handful of sites that either
hosted unauthorized copies of films and music or allowed users to search for
them elsewhere on the Internet produced a notice that said, in part: "This
domain name has been seized by ICE - Homeland Security Investigations,
pursuant to a seizure warrant issued by a United States District Court."

In taking over the sites' domain names, or Web addresses, the government
effectively redirected any visitors to its own takedown notice. ...

https://www.nytimes.com/2010/11/27/technology/27torrent.html


Deep Pockets have Deep Packets?

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 24 Nov 2010 16:46:54 PST

Shunned Profiling Technology on the Verge of Comeback
Steve Stecklow and Paul Sonne, *Wall Street Journal*

One of the most potentially intrusive technologies for profiling and
targeting Internet users with ads is on the verge of a comeback, two years
after an outcry by privacy advocates in the U.S. and Britain appeared to
kill it.

The technology, known as "deep packet inspection," is capable of reading and
analyzing the "packets" of data traveling across the Internet. It can be far
more powerful than "cookies" and other techniques commonly used to track
people online because it can be used to monitor all online activity, not
just Web browsing. Spy agencies use the technology for surveillance.

Now, two U.S. companies, Kindsight Inc. and Phorm Inc., are pitching deep
packet inspection services as a way for Internet service providers to claim
a share of the lucrative online ad market.

Kindsight and Phorm say they protect people's privacy with steps that
include obtaining their consent. They also say they don't use the full power
of the technology, and refrain from reading email and analyzing sensitive
online activities.

Use of deep packet inspection this way would nonetheless give advertisers
the ability to show ads to people based on extremely detailed profiles of
their Internet activity. To persuade Internet users to opt in to be
profiled, Kindsight will offer a free security service, while Phorm promises
to provide customized web content such as news articles tailored to users'
interests. Both would share ad revenue. ...


Israeli army uses FaceBook to expose draft dodgers

Amos Shapir <amos083@hotmail.com>
Wed, 24 Nov 2010 18:02:17 +0200

The Israeli army lets religious women avoid the draft, but recently FaceBook
has been used to catch cheaters.  Full story at:
http://www.bbc.co.uk/news/world-middle-east-11825100


U.S. may require jamming of cell phone use inside vehicles

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 19 Nov 2010 21:11:17 PST

Original message to which the following is a response, from Lauren
Weinstein in Network Neutrality Squad:

  U.S. may require jamming of cell phone use inside vehicles
  http://bit.ly/deUpGb  (Daily Caller)
  Two items on this for Secretary LaHood:

  1) A dangerous and stupid idea for both technical and (ironically)
     safety reasons
  2) Good (Blankin') Luck getting people to put up with this one

Response from Bob Frankston:

> I can't help but think about legislation requiring every car have a person
> walking in front of it to assure that horses won't get scared. The idea that
> one should use the DNS to control the net is bad enough. The idea that cell
> phones have only one purpose—talking while driving—is just as dumb. If
> we ban cell phones
>
> *Passengers won't be able to communicate
> *Navigation systems won't get or provide updates
> *Medical monitors would fail
> *Emergency SMS systems won't be able to warn you about weather conditions.
>
> Well, fighting the last war is Congress' forte.
>
> Next topic TSA probing every cavity ...

Response from ssc:
Date: Fri, 19 Nov 2010 19:21:13 -0500
From: ssc <ssc@strikenet.kicks-ass.net>

If this comes to pass, I will make a ton of $ removing the jammers from
cars.

Also, just wait till someone goes to report a crime, an emergency call or an
accident and it doesn't go thru, and the law-vultures get involved. This
will be a MESS!

Also, as anyone familiar with radio knows (Lauren), radio signals don't
respect any territory. Imagine the interference generated, and resulting
poor coverage in urban canyons, where cell signals are already overtaxed,
and marginal in signal strength. Thousands of cars emitting jamming signals
affecting pedestrian traffic will render the devices useless in cities. The
result will be phones switching to higher power levels (this is automatic*)
and reduced battery life at the bare minimum. At this bare minimum, I'd
expect to see a noise floor rise of up to 20db, and interference to adjacent
services as well, like GPS (due to uneven mixing in poorly designed jamming
transmitters and nearby electronics, remember, cheap is the design
imperative here).  Cellular companies had better get out in front of this
fast, otherwise, they face the very real prospect of major cities being
inhospitable to hand held phones until every one of the interference-mobiles
is gone.

* When a cell phone decides its getting a very weak signal, it automatically
increases its power up to a point to better enable it to communicate with
what it sees as a poor connection or weak signal. This algorithm is built in
to conserve battery while allowing full power for marginal signal
conditions. jamming from multiple vehicles on urban streets will cause this
condition to be perceived by the handsets, and as a side effect, exposing
the users to higher than necessary RF output than needed to normally make a
call when the phone ramps up output power.  Marc

  [There is a way—in theory anyway—to block cell phone use more
  selectively (e.g., still allowing 911 calls) and avoiding outright
  jamming.  That's the use of "picocells" to "intercept" cell phones before
  they reach the primary cellular networks.  But this would face immense
  challenges in the mobile environment as well.  Lauren Weinstein, NNSquad
  Moderator ]


Passenger arrested for stripping down to underwear for TSA pat down

Peter Houppermans <peter@houppermans.com>
Tue, 23 Nov 2010 11:55:01 +0100

It appears we have finally hit a point where people start asking questions.

http://www.nbcsandiego.com/news/local-beat/Passenger-Chooses-Strip-Down-Over-Pat-Down-109872589.html?dr

Through a statement released by his attorney Sunday night, Wolanyk said "TSA
needs to see that I'm not carrying any weapons, explosives, or other
prohibited substances, I refuse to have images of my naked body viewed by
perfect strangers, and having been felt up for the first time by TSA the
week prior (I travel frequently) I was not willing to be molested again."

Wolanyk's attorney said that TSA requested his client put his clothes on so
he could be patted down properly but his client refused to put his clothes
back on. He never refused a pat down, according to his attorney.  Wolanyk
was arrested for refusing to complete the security process.

So much for being overly accommodating :-).

However, the same article contained a line that was much more worrying:

A woman, identified by Harbor police as Danielle Kelli Hayman,39, of San
Diego was detained for recording the incident on a phone.

Ah, transparency.  We've heard of it..

Regards, Peter


Vermont law on drug data mining ruled unconstitutional

Danny Burstein <dannyb@panix.com>
Wed, 24 Nov 2010 20:27:29 -0500 (EST)

Vermont law on drug data mining ruled unconstitutional
(Sources: Burlington Vt. news items)

A Vermont law that restricts companies' use of information about the drugs
doctors prescribe is unconstitutional on free speech grounds, a federal
appeals court ruled Tuesday.  Three companies that gather information on
drugs ordered by doctors and then sell the information to pharmaceutical
manufacturers—IMS Health, SDI and Source Healthcare Analytics—had sued
over the so-called data mining law.  Passed in 2007, it bans the sale,
transmission or use of prescriber-identifiable data for marketing a
prescription drug unless the prescribing doctor consents.

A three-judge panel of the U.S. Court of Appeals for the 2nd Circuit said
the law is a restriction on commercial free speech that violates the First
Amendment.

rest:
http://www.burlingtonfreepress.com/article/20101124/NEWS01/11240310/Vermont-law-on-drug-data-mining-ruled-unconstitutional


When will we learn that digital communication isn't private?

Monty Solomon <monty@roscom.com>
Sat, 27 Nov 2010 16:15:41 -0500
  (Tom Keane)

Tom Keane, 20 Nov 2010
Perspective: You've got evidence
When will we learn that digital communication isn't private?

Are scoundrels and villains just stupider today than they once were?  It
used to be that if you were going to commit a crime or merely be a bit
naughty, you'd try to cover your tracks. Getting caught was an outcome to be
avoided. Yet now we put our transgressions on display for the world to see.

A case in point comes from the campaign of Tim Cahill, state treasurer and
erstwhile independent candidate for governor. In the waning weeks of the
race, stories emerged that campaign staffers had allegedly traded e-mails
about coordinating activities with the Treasury. If true, that's clearly
illegal - public money can't be used for political campaigns. The attorney
general is looking into the matter and, while I have no idea where things
will end up, heads could roll. All because, instead of having a meeting
about it or even using the telephone, those supposedly involved circulated a
bunch of e-mails.

Pretty dumb. If it's any comfort, though, they're hardly alone.  Football
player Brett Favre faces difficult times of his own for salacious text
messages sent to ex-model and New York Jets employee Jenn Sterger. Ditto
golfer Tiger Woods and his own paramours. New York gubernatorial candidate
Carl Paladino got into trouble for forwarding racist jokes. Florida
Representative Mark Foley resigned in 2006 after the unearthing of sexually
explicit instant messages he sent a 16-year-old congressional page. The
Boeing Corp. ousted CEO Harry Stonecipher over indiscreet e-mails sent to a
fellow executive that were found on company servers. E-mails by Goldman
Sachs employees seemed to confirm an SEC investigation into investor fraud.
Federal investigators uncovered internal company e-mails showing that Enron
had illegally manipulated California's electricity markets. The list goes
on.

Whether it's e-mailing, texting, Tweeting, blogging, or commenting on the
Web, near-instant digital communications dominate our professional and
personal lives. From one point of view, these new technologies are just an
improvement on old-fashioned talking, writing, telephoning, and faxing. In
truth, though, they are vastly different. The old ways had some semblance of
privacy, oftentimes because they were legally protected (such as
prohibitions against recording conversations) or because of the limits of
technology (forwarding letters to thousands at once was logistically
complicated). The most striking difference, however, is the permanence of
the new forms of communication. Twenty years ago, if I sent you a letter
with inside information on a stock trade, only you and I knew about it. If
you were smart, you'd destroy the document and no one would be the
wiser. ...
http://www.boston.com/lifestyle/articles/2010/11/28/youve_got_evidence/


Re: Massive Chinese Net Reroute Exposes Web's Achilles' Heel (R 26 22)

Mike Andrews <mikea@mikea.ath.cx>
Thu, 18 Nov 2010 10:04:40 -0600

in Risks Digest 26.22, Steven Cherry <s.cherry@ieee.org> posted:
: The U.S.-China Economic and Security Review Commission says that for a
: period of 18 minutes last April, China Telecom hijacked 15 percent of
: the world's Web traffic and sent it to servers in China, an accusation
: the state-run organization has denied. Whether the apparent reroute was
: intentional or accidental, it's exposed another weakness in the structure
: of the Web.

Well, as the ads say, "not exactly".

First, it's not a weakness in the structure of the Web, but a (minor?)
vulnerability in the structure of the Internet: if someone in China sets up
a router so that it claims to be handling traffic for an Autonomous System
(AS), some traffic for that AS may be shipped to the Chinese router. Ryan
Rawdon, below, comments on the effect of this vulnerability, which is known
as a prefix hijack.

A more correct statement, according to Bob Poortinga in a post to the
"nanog" mailing list, would be that '15% of the world's network prefixes
were "hijacked", but the impact was minimal in the US."

Ryan Rawdon, following up on Poortinga's correction, wrote "Also worth
pointing out that if this was a normal prefix hijack without them actually
delivering the packets to the intended recipient (unlikely the case),
then there would be very little TCP data seen. A few packets on existing
connections before they time out, and SYNs on new connection attempts.
Unless they were able to push the traffic back to another ISP which didn't
see their originated routes, things would break more likely than be "routed
via" the hijacking AS."

Once again, shock value is more important than getting the facts right.

See also pp. 243-244 (logical pages 251-252) of the 2010 Report to Congress
of the U.S.-China Economic and Security Review Commission, at
<http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf>, which
explains the hijacking event very much more clearly than does the story at
www.technewsworld.com.


Re: New study on adverse events in hospitals (RISKS-26.22)

Barbara Zanzig <bzanzig@gmail.com>
Tue, 23 Nov 2010 03:50:08 -0800

My mother was hospitalized during the time period mentioned in Rita's report
(surrounding October 2008) and died in March 2009. During the two years
leading up to her death she was diagnosed with MRSA, a hospital-caused
infection; c-diff (clostridium difficile), another hospital-caused
infection, although I don't believe she had it; and several other issues.
She was a Medicare patient, the sort reported on.

I don't see the RISKS, but from everything my mother went through, as well
as the report, cost-cutting on nursing staff by hospitals is a huge part of
the reported problem. I watched her nurses. They are vastly underpaid and
understaffed, and the nation's serious acute care depends largely on them.
They, and the hospitalists, work incredible hours. No wonder they make
mistakes.

The report, as well as my mother's care, is a classic description of money
and profit trumping actual care. RISKS are only a matter of reporting, and
time.

Barbara Zanzig <bzanzig@gmail.com> Kirkland, WA


Malware Analysts' Cookbook and DVD (Ligh et al., review by Richard Austin)

Peter G Neumann <neumann@csl.sri.com>
Tue, 16 Nov 2010 23:14:51 -0700

Review by Richard Austin in IEEE Cipher (IEEE-security.org online newsletter>
  Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard
    Malware Analysts' Cookbook and DVD:
    Tools and Techniques for Fighting Malicious Code
John Wiley & Sons 2011.
ISBN 978-0-470-61303-0 amazon.com USD37.79
Table of contents:
  http://media.wiley.com/product_data/excerpt/33/04706130/0470613033-1.pdf

Battling malware has much in common with an arms race - defenders develop
new defenses which forces adversaries to adapt and innovate to overcome
those defenses, and the cycle repeats ad infinitum.  Given this never-ending
struggle and the wide prevalence of malware, malicious code analysis is
becoming a more important component of the technical repertoire of
information security professionals.  For many years the classic starting
point for aspiring malware analysts has been Peter Szor's "The Art of
Computer Virus Research and Defense" (reviewed in the March, 2005 edition of
Cipher by Bob Bruen, see
http://ieee-security.org/Cipher/BookReviews/2005/Szor_by_bruen.html) and the
"Malware Analyst's Cookbook" provides a valuable update on the state of the
art.

At 700+ pages (plus a DVD of tools), this book provides wide coverage of the
tools and techniques used by the practicing malware analyst in a very
hands-on fashion.  The book is organized into 18 chapters made up of
"recipes" that describe the purpose and use of a particular tool or
technique.  The recipes are clearly presented with illustrations and code
snippets used to show the technique in action.  The tools DVD uses the same
chapter organization and clearly links its contents with the text (a pet
peeve of mine is the companion CD/DVD which in nothing more than a blob of
tools with no organization whatever).  Many references are provided to aid
in finding more details or additional information on a particular topic.

The focus is on Windows malware (not surprising since most malware targets
that platform) but uses tools that run on Windows, Linux and even MacOS.
Topic coverage is comprehensive and ranges from how to research malware
anonymously using Tor or various proxies to the tried-and-true techniques
for analyzing suspicious executables or DLL's to cutting-edge topics such as
memory forensics.

The substantial value of the book is that it collects, in one place,
accessible material on a plethora of useful tools whose documentation is
scattered across a universe of project websites and archives.  The recipes
are much more than a regurgitation of "man" pages and show why a particular
tool is useful and how it is applied in a particular situation.  The authors
gained many "credibility points" in the introduction when they identified
and provided links to the compiler and driver kit required to modify their
binary tools.  By delving deep into the analysis of malware, the authors
provide a master-course in how malware actually works and the devious
techniques its creators use to subvert our systems to their purposes
(confess, do you really know what an IAT-hook is?).

If there is a criticism of the book, and it is a mild one, it is that it is
a cookbook.  Reading it front-to-back will cause you to quickly become lost
in contemplation of individual trees and while remaining blind to the
forest.  A quick skim with a detailed working-through of several interesting
recipes will set the stage for when you later reach for this book in
carrying out a particular task.  If you are a technical professional with an
interest in or responsibility for malware analysis, this book is a worthy
companion to Szor's book and merits a place on your shelf.  It will become a
familiar reference in answering the question "I wonder how you ...".

 - -----

Richard Austin MS, CISSP (http://cse.spsu.edu/raustin2) spent 30+ years in
the IT industry holding positions ranging from software developer to
security architect before becoming a semi-retired, part-time academic.  He
welcomes your thoughts and comments on this review at raustin2 at spsu dot
edu.


Cyber Warmongering and Influence Peddling

Gary McGraw <gem@cigital.com>
Wed, 24 Nov 2010 15:22:38 -0500

The RISK of rampant exaggeration and hyperbole when it comes to FUD is
payable in terms of privacy and rampant government waste.

Cyber Warmongering and Influence Peddling
http://www.informit.com/articles/article.aspx?p=1662328

In the article we attempt to provide some guidance for policymakers as they
cut through the BS in our field.

If you have the ears of any relevant policy makers in the government, please
pass this on to them.

Please report problems with the web pages to the maintainer

Top