The RISKS Digest
Volume 26 Issue 34

Saturday, 12th February 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Internet role in Egypt's protests
Brian Randell
Hackers Breach Tech Systems of Multinational Oil Companies
John Markoff
Hacker steals 400,000,000,000 Zynga poker chips
Athima Chansanchai
Certified Lies ... Government Interception... SSL
Yet another personal, medical, info series of tapes lost
Danny Burstein
Sweetheart deal for billionaire could cut off GPS service
Geoff Goodfellow
Vatican bans "confession app"
Lauren Weinstein
Breaking the Web by assuming Javascript is running
Thomas Dzubin
Anonymous smear campaigns on the Internet
Mark Thorson
Advantages of no electronic controls?
Peter Z Ingerman
Rightists launch battle to block Facebook pages of left-wing groups
Amos Shapir
Facebook and
Gene Wirchenko
Prank "dating site" imports 250K Facebook profiles w/o permission
Lauren Weinstein
FEMA Loses Lessons Learned Data
Stephen Fairfax
Outsourcing elections in the Netherlands
Anne-Marie Oostveen
Oscar voting
Tom Sherak
Tree octopus exposes Internet illiteracy
Sam Waltz
REVIEW: "Inside Cyber Warfare", Jeffrey Carr
Rob Slade
CAISE'11 FORUM - Call for Short Papers and Tool Demonstrations
Selmin Nurcan
Info on RISKS (comp.risks)

Internet role in Egypt's protests

Brian Randell <>
February 9, 2011 6:19:11 PM EST

The BBC website has now has a very interesting article "Internet role in
Egypt's protests" by Anne Alexander (Buckley Fellow at the Centre for
Research in the Arts, Social Sciences and Humanities, University of

  A few days after the fall of Tunisian President Zine al-Abidine Ben Ali, a
  Jordanian newspaper printed a joke apparently doing the rounds in Egypt:
  "Why do the Tunisian youth 'demonstrate' in the streets, don't they have

  Only six days later, protests across Egypt co-ordinated by a loose
  coalition of opposition groups - many of which are very largely organised
  through Facebook - seemed to prove this cynicism wrong.

  Certainly, the Egyptian government reacted quickly: blocking social media
  sites and mobile phone networks before pulling the plug on Egypt's access
  to the Internet.

This act of censorship was spectacularly unsuccessful.
Full story at

PS. A full (three part) subtitled version of the tremendously moving
interview that Wael Ghonim (who set up the highly influential Facebook page
""We are all Khaled Said" Facebook page) gave shortly after he was released
from 12 days blindfolded custody, can be found at, for example: >

It's no wonder that after this interview was shown a popular private
Egyptian TV channel (DreamTV) tens of thousands more Egyptians joined the
protest in Tahrir Square.

School of Computing Science, Newcastle University, Newcastle upon Tyne,
NE1 7RU, UK EMAIL +44 191 222 7923

Hackers Breach Tech Systems of Multinational Oil Companies (Markoff)

"Peter G. Neumann" <>
Thu, 10 Feb 2011 13:14:30 PST

[Source: John Markoff, *The New York Times*, Business Section, 10 Feb 2011,
page 2; PGN-ed]

At least five multinational oil and gas companies suffered computer network
intrusions from a persistent group of computer hackers based in China,
according to a report released Wednesday night by a Silicon Valley computer
security firm.

Computer security researchers at McAfee Inc. said the attacks, which were
similar to but less sophisticated than a series of computer break-ins
discovered in late 2009 by Google appeared to be aimed at corporate
espionage. Operating from what was a base apparently in Beijing, the
intruders established control servers in the United States and Netherlands
to break into computers in Kazakhstan, Taiwan, Greece and the United States.

The focus of the intrusions was on oil and gas field production systems as
well as financial documents related to field exploration and bidding for new
oil and gas leases, according to the report. The attackers also stole
information related to industrial control systems, the researchers noted,
but no efforts to tamper with these systems were observed.

McAfee executives declined to name the victim companies, citing
nondisclosure agreements it signed before being hired to patch the
vulnerabilities revealed by the intrusions. Last year, when Google
announced that intellectual property had been stolen by Chinese
intruders, it expressed frustration that while it had observed break-ins
at a variety of other United States companies, virtually none of the
other companies were willing to acknowledge that they had been compromised.

According to the report, the intruders used widely available attack methods
known as SQL injection and spear phishing to compromise their targets. Once
they gained access to computers on internal company networks, they would
install remote administration software that gave them complete control of
those systems. That made it possible for the intruders to search for
documents as well as stage attacks on other computers connected to corporate

Re: FW: Hacker steals 400,000,000,000 Zynga poker chips

"Peter G. Neumann" <>
Fri, 4 Feb 2011 11:35:02 PST

  [Thanks to Tim Mather]

Athima Chansanchai, Hacker steals $12 million worth of Zynga poker chips

A gambling addict hacked into gaming heavyweight Zynga and stole 400
billion virtual poker chips worth $12 million to sell on the black market.
He got caught and now he's facing some very real prison time.

No amount of Farmville tasks can get him out of this one.

Ashley Mitchell, 29, pleaded guilty to five charges brought under the
Computer Misuse Act and the Proceeds from Crime Act and remanded until a
date was fixed for sentencing, according to BBC.

BBC reported that Mitchell, who has apparently struggled with an online
gambling addiction (especially Zynga poker), "posed as an administrator for
the Zynga Poker game on Facebook in order to get at the computer systems for
the game and steal the chips" between June and September 2009. He laundered
the chips through a series of Facebook accounts trying to play catch me if
you can with Zynga, best known for its popular (and addictive) Facebook
games Farmville, Mafia Wars and the booming Cityville

But Zynga didn't get where it is by being dumb, and they soon figured out
something was amiss. They organized a sting. And they stung.
He made only about $86,000 before he was pinched.

The judge warned Mitchell he's looking at some substantial time behind bars,
though he has yet to specify the duration. But seeing as how this isn't
Mitchell's first dance as a hacker—he has a previous conviction of
hacking into a local council's web site to change his personal details --
punishment might be stiff.

Besides wondering if it is illegal to pilfer fake currency, I'm also
pondering, maybe it's also time to call Gamblers Anonymous?

had some answers via Jas Purewal, lawyer and author of Gamer/Law, who told
the publication that the case has set a new precedent.

This shows that the legal regulation and protection of virtual goods and
currency, which historically has been fairly uncertain, is evolving fast
driven partly by the boom in virtual goods sales in games. This case is
particularly interesting because it involved a UK court recognising virtual
currency - in this case, Zynga chips - as legal property which can be
protected by existing UK criminal laws...The court effectively found that
even though virtual currency isn't real and is infinite in supply, it still
can deserve legal protection in the same way as real world currency.

*UPDATE: A Zynga spokesperson sent us this response: *
"Zynga treats game security with the utmost of seriousness.   We want to
provide our users with the safest and most enjoyable game experience
possible.  To that end, we have a world class security team which continues
to proactively identify and address security breaches with the highest
priority.  We will pursue these issues vigorously, which could involve
criminal and civil prosecutions."

Excerpted from Technolog - Hacker steals $12 million worth of Zynga poker chips

Certified Lies ... Government Interception... SSL (Soghoian/Stamm)

Lauren Weinstein <>
Mon, 31 Jan 2011 16:45:41 -0800

Certified Lies: Detecting and Defeating Government Interception
Attacks Against SSL, Christopher Soghoian and Sid Stamm

 "This paper introduces the compelled certificate creation attack, in which
  government agencies may compel a certificate authority to issue false SSL
  certificates that can be used by intelligence agencies to covertly
  intercept and hijack individuals' secure Web-based communications.
  Although we do not have direct evidence that this form of active
  surveillance is taking place in the wild, we show how products already on
  the market are geared and marketed towards this kind of use-suggesting
  such attacks may occur in the future, if they are not already occurring.
  Finally, we introduce a lightweight browser add-on that detects and
  thwarts such attacks." (Cryptogon)

   From Network Neutrality Squad []

Yet another personal, medical, info series of tapes lost

danny burstein <>
Sat, 12 Feb 2011 04:07:50 -0500 (EST)

Data Are Stolen From Hospitals, Wall Street Journal

The confidential personal health data of about 1.7 million New York City
patients, hospital staffers and others were stolen in December, the city's
Health and Hospitals Corp. [HHC] reported Friday.  The medical files, which
were stored on magnetic data tapes and extend back as long as 20 years, were
stolen on Dec. 23 from an unlocked vehicle belonging to GRM Information
Management Services, the city's medical-records vendor based in Jersey City,
N.J.  The information in the files includes names, addresses, Social
Security numbers and medical information.

per other reports these tapes were not encrypted.
But... it's all ok since, as reported by Fox News:

  "Officials said the stolen data was in the form of electronic files and was
  'not readily accessible without highly specialized technical expertise and
  data-mining tools.'"

Sweetheart deal for billionaire could cut off GPS service

the terminal of geoff goodfellow <>
February 10, 2011 2:02:07 PM EST

  [From David Farber's IP]

... laboratory test results from the world's top manufacturer of
navigational gizmos, Garmin Ltd. The company's engineers found that popular
consumer GPS units started experiencing dropouts when approaching within 3.6
miles of a LightSquared transmitter. A commonly used aircraft navigation
unit completely lost its fix within 5.6 miles.  Garmin spokesman Ted Gartner
told The Washington Times, “It's mind-boggling to us.  If it's implemented
as is, we've presented a pretty good case with that test that there will be
some disruptions.''

  [Ed Biebel <> subsequently noted an article explaining
  more of the technical issues surrounding the interference issues between
  LightSquared and GPS.

Vatican bans "confession app"

Lauren Weinstein <>
Thu, 10 Feb 2011 09:41:58 -0800

Update: February 10, 2011: The Vatican has now effectively banned the
"confession app" that I originally referenced in:  (Lauren's Blog)
The Vatican now says that "under no circumstances is it possible to
confess by iPhone."  Their full wording suggests that Android and
other platforms are also excluded.

Priests the world over sigh in relief.

People For Internet Responsibility:  +1(818)225-2800
Network Neutrality Squad:
Global Coalition for Transparent Internet Performance:
PRIVACY Forum:  Blog:

Breaking the Web by assuming Javascript is running

Thu, 10 Feb 2011 11:47:17 -0800 (PST)
An interesting article describes a problem that many web sites are falling
into now with high-level content creation engines.  There are many websites
now that just don't work PERIOD if the end user's browser doesn't have
Javascript enabled.  The article also touches on how minor Javascript errors
can translate into entire site problems for users of certain web browsers,
the problems of advertisements also requiring Javascript to display their
content, and how Javascript can cause content caching to fail.
Quite a good article.

And related:
"If site content doesn't load through curl it's broken"

Thomas Dzubin, Vancouver, Calgary, or Saskatoon CANADA

Anonymous smear campaigns on the Internet

Mark Thorson <>
Wed, 9 Feb 2011 10:45:40 -0800

A recent court case shows that using anonymous remailers is not always
protection against legal action.

A related previous case against the same defendant was dismissed.

Advantages of no electronic controls?

"Peter G. Neumann" <>
Tue, 8 Feb 2011 17:51:39 PST

  [Thanks to Peter Z Ingerman.]

  Man dies at 102 owns same car 82 years

  *Can you imagine having the same car for 82 years?!
  I guess it was no longer under warranty...*
  *"How Long Have You Owned a Car?" *

  Mr. Allen Swift (Springfield , MA) received this 1928 Rolls-Royce
  Picadilly P1 Roadster from his father, brand new - as a graduation gift in
  1928.  He drove it up until his death last the age of 102!  He
  was the oldest living owner of a car from new.  Just thought you'd like to
  see it.  He donated it to a Springfield museum after his death.  It has
  170,000 miles on it, still runs like a Swiss watch, dead silent at any
  speed and is in perfect cosmetic condition. (82 years).  That's
  approximately 2000 miles per year.

Rightists launch battle to block Facebook pages of left-wing groups

Amos Shapir <>
Tue, 1 Feb 2011 16:52:03 +0200

Extreme right-wing activists use a feature of Twitter which automatically
blocks a page if enough people complain that the site had transgressed
Twitter's policies, thus taking off the air many pages of left wing (or what
the activists consider to be leftist) organizations and individuals.

Full story at:

Facebook and

Gene Wirchenko <>
Tue, 08 Feb 2011 11:04:34 -0800

   1) Scrape some data from Facebook (apparently not difficult (sigh!)).
   2) Set up a dating Website ( is actually a mock-Website, but it could
    have been real.  Here is how to do it:

Jaikumar Vijayan, 'Lovely Faces' scrapes public data from Facebook to create
mock dating site; The social networking site is considering legal action
after the personal information of 1 million users was misused.  8 Feb 2011

Facebook is threatening to take legal action against the creators of an
online "dating" site that features 250,000 profiles of men and women whose
photos and personal details were scraped off the social networking giant's
site and used without their permission.

The site, called Lovely Faces, was ostensibly set up as part of an attempt
to demonstrate to the world how easy it is to misuse data that is publicly
posted on sites such as Facebook. It allows users to search for men and
women using their real names, or by categories such as "easy going", "sly"
and "smug."

Paolo Cirio, an Italian media artist, and Alessandro Ludovico, a media
critic and editor in chief of Neural magazine in Italy, are the site's
creators. On a site explaining their caper , the two admit to using an
automated bot program to systematically scrape publicly available
information from 1 million Facebook profiles (PDF document) , over a period
of several months.

The goal of the experiment apparently is to highlight the often
underestimated consequences of publicly posting personal data on social
media sites such as Facebook.

"The price users pay is being categorized as what they really are, or
better, how they choose to be represented in the most famous and crowded
online environment," the duo noted. "The project starts to dismantle the
trust that 500 million people have put in Facebook."

They say Lovely Faces highlights how an "endlessly cool place" such as
Facebook is also a goldmine for identity theft. "But that's the very nature
of Facebook and social media in general. If we start to play with the
concepts of identity theft and dating, we should be able to unveil how
fragile a virtual identity given to a proprietary platform can be."

Prank "dating site" imports 250K Facebook profiles w/o permission

Lauren Weinstein <>
Thu, 3 Feb 2011 17:12:05 -0800

Prank "dating site" imports 250K Facebook profiles w/o permission  (ars technica)

FEMA Loses Lessons Learned Data

Stephen Fairfax <>
Thu, 10 Feb 2011 12:50:12 -0500

A single server failure results in loss of some 6 years worth of data.  Data
has reportedly been recovered, but hardware to provide access is not
available 8+ months after the failure.

FEMA Loses Lessons Learned Data

Apparently the lessons learned do not include much in the way of backup,
recovery, and migration procedures.

Outsourcing elections in the Netherlands (Anne-Marie Oostveen)

"Peter G. Neumann" <>
Tue, 1 Feb 2011 20:08:02 PST

Anne-Marie Oostveen, University of Oxford,
Outsourcing Democracy: Losing Control of e-Voting in the Netherlands

Outsourcing IT services is a common practice for many governments. This case
study shows that outsourcing of elections is not without risk.  Studying
electronic voting in the Netherlands through documents obtained with Freedom
of Information requests, we see that government agencies at both local and
national level lacked the necessary knowledge and capability to identify
appropriate voting technology, to develop and enforce proper security
requirements, and to monitor performance.  Furthermore, over the 20 years
that e-voting was used in the Netherlands, the public sector became so
dependent on the private sector that a situation evolved where Dutch
government lost ownership and control over both the e-voting system and the
election process.  Recommended Citation

Anne-Marie Oostveen (2010) "Outsourcing Democracy: Losing Control of
e-Voting in the Netherlands," Policy & Internet: Vol. 2: Iss. 4, Article 8.
DOI: 10.2202/1944-2866.1065

Oscar voting (Tom Sherak)

"Peter G. Neumann" <>
Fri, 4 Feb 2011 11:44:49 PST

Oscar Ballots Mailed, Tom Sherak Talks: Online Ballots, Franco and Hathaway,
  Indie Wire (blog)

Until Sherak is convinced that no one could influence the voting by hacking
into an online voting system, he's sticking with paper ballots.  It's safer.
...  But the Oscars are a fat juicy target. “I've yet to be convinced that
you couldn't find someone to hack into it.  Nobody has said to me, “you
can't get in.'  The Academy is as pure as the driven snow.''

Tree octopus exposes Internet illiteracy

Sam Waltz <>
February 3, 2011 1:34:58 PM EST

The endangered Pacific Northwest tree octopus in its natural habitat. (snicker)
Is this creature capable of exposing shocking Internet illiteracy?

Donald Leu, a researcher from the University of Connecticut, conducted a
U.S. Department of Education-funded study of Internet literacy among
so-called `digital natives', fabricating the tree octopus to test students'
ability to evaluate information they find on the Internet.

Researchers asked students to find out information about the endangered
Pacific Northwest tree octopus. Students had no problem locating a website
dedicated to the cause,, but insisted on
the existence of the made-up story, even after researchers explained the
information on the website was completely fabricated, according to a press
release.  (Author's note: You gotta check out this website, you can actually
buy posters and T-shirts through Cafe Press.)

Leu: Most students “simply have very little in the way of critical
evaluation skills.  They may tell you they don't believe everything they
read on the Internet, but they do.''  The study also found that students
shunned search engines in favor of typing what they think is the right site
directly into the address bar, such as When they did
use a search engine, they skipped right over legitimate pages—because it
didn't look like what they had in mind.''  [PGN-ed]

  What the article fails to take into account is that we had the same
  problem for centuries before the Internet was developed. When I was in
  grade school, I was doing a research paper on Atlantis. I went to the
  local university library and grabbed all the books I could find on the
  subject, including some paranormal and occult books from the 1920s, based
  on theosophy (trust me, look it up). My paper was a huge mess, because I
  suffered from information overload, and had not learned how to judge the
  reliability of a resource yet (I suspect that we all still struggle with
  that to some extent). We forget now how many pre-Internet references are
  based on bad logic and superstition. It is certainly possible to find
  misinformation in books, magazines, as well as on the Internet. The only
  extra disadvantage the web has is that an article you find today might not
  be hosted tomorrow, or may have undergone subsequent revisions.

  Yes, we absolutely need to teach critical thinking - but we shouldn't be
  fooled into believing this is a new problem.  Sam Waltz

REVIEW: "Inside Cyber Warfare", Jeffrey Carr

Rob Slade <>
Tue, 8 Feb 2011 15:21:43 -0800

BKCYWRFR.RVW   20101204

"Inside Cyber Warfare", Jeffrey Carr, 2010, 978-0-596-80215-8,
%A   Jeffrey Carr
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2010
%G   978-0-596-80215-8 0-596-80215-3
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$49.99 800-998-9938 fax: 707-829-0104
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   212 p.
%T   "Inside Cyber Warfare: Mapping the Cyber Underworld"

The preface states that this text is an attempt to cover the very broad
topic of cyber warfare with enough depth to be interesting without being
technically challenging for the reader.

Chapter one provides examples of cyber attacks (mostly DDoS [Distributed
Denial of Service]), and speculations about future offensives.  More
detailed stories are given in chapter two, although the reason for the title
of "Rise of the Non-State Hacker" isn't really clear.  The legal status of
cyber warfare, in chapter three, deals primarily with disagreements about
military treaties.  A guest chapter (four) gives a solid argument for the
use of "active defence" (striking back at an attacker) in cyber attacks
perceived to be acts of war, based on international law in regard to
warfare.  The author of the book is the founder of Project Grey Goose, and
chapter five talks briefly about some of the events PGG investigated, using
them to illustrate aspects of the intelligence component of cyber warfare
(and noting some policy weaknesses, such as the difficulties of obtaining
the services of US citizens of foreign birth).  The social Web is examined
in chapter six, noting relative usage in Russia, China, and the middle east,
along with use and misuse by military personnel.  (The Croll social
engineering attack, and Russian scripted attack tools, are also detailed.)
Ownership links, and domain registrations, are examined in chapter seven,
although in a restricted scope.  Some structures of systems supporting
organized crime online are noted in chapter eight.  Chapter nine provides a
limited look at the sources of information used to determine who might be
behind an attack.  A grab bag of aspects of malware and social networks is
compiled to form chapter ten.  Chapter eleven lists position papers on the
use of cyber warfare from various military services.  Chapter twelve is
another guest article, looking at options for early warning systems to
detect a cyber attack.  A host of guest opinions on cyber warfare are
presented in chapter thirteen.

Carr is obviously, and probably legitimately, concerned that he not disclose
information of a sensitive nature that is detrimental to the operations of
the people with whom he works.  (Somewhat ironically, I reviewed this work
while the Wikileaks furor over diplomatic cables was being discussed.)
However, he appears to have gone too far.  The result is uninteresting for
anyone who has any background in cybercrime or related areas.  Those who
have little to no exposure to security discussions on this scale may find it
surprising, but professionals will have little to learn, here.

copyright, Robert M. Slade

CAISE'11 FORUM - Call for Short Papers and Tool Demonstrations

Selmin Nurcan <>
Tue, 01 Feb 2011 23:42:42 +0100

The 23d International Conference on Advanced Information Systems Engineering
CAISE'2011, 20-24 June 2011, London, UK
IS Olympics: Information Systems in a diverse world
  Submission deadline: 21st March 2011

Please report problems with the web pages to the maintainer