The recent 9.0 earthquake in Japan and the ensuing tsunami remind us once again about how globally interrelated everything has become. For example, the fishing fleet in Crescent City, California was essentially destroyed by the tsunami—all the way across the Pacific. Just-in-time parts supplies for various automobile manufacturers were disrupted in many different countries. Many airport schedules were dramatically affected. Radiation concerns abound in Japan, and are echoed around the world with respect to other potentially susceptible nuclear power plants. Planning for worst cases is seemingly a losing battle under serious emergencies in which the design and operational assumptions are dramatically exceeded. That certainly compounded the long-term future of the affected Japanese reactors. It also reminded us that backup systems can present serious risks, especially when they are also wiped out and when the standby power runs out. Massive propagating electrical outages have recurred since 1965, despite continual reassurances that they can no longer happen. With respect to trustworthy computing, the Department of Homeland Security Cybersecurity Roadmap discusses eleven topic areas in which extensive work is needed with respect to research, development, test, evaluation, and technology transfer (http://www.cyber.st.dhs.gov/documents.html). An Appendix to that report (Disclaimer: I wrote that appendix) illustrates the remarkable extent to which each of those eleven areas can depends on the successful operations in the other areas. But even more remarkable is the extent to which all of the critical national infrstructures depend on computer-communication systems and of course in most cases the Internet itself. This may be old stuff to RISKS readers, but too many others do not seem to get it. When push comes to shove, we wind up with short-sighted approaches. The counter argument says that risk analysis showed that what was done was prudent. Prudent, schmoodent. We still don't build systems and applications that are trustworthy even under ordinary circumstances. Thus, we are all in this together. To paraphrase John Dunne (and to acknowledge Bob Morris, who in September 1988 at a CSTB meeting in Washington DC said that “To a first approximation, every computer in the world is connected with every other computer.''), No system is an island, in spite of itself. Every mishaps diminishes me—and potentially many others. I'm donne with my soape boxe. However, it is worth noting that the Japanese are probably better prepared for major earthquakes than any other nation. For example, consider this item from Nic Pottier in Dave Farber's IP distribution: Fantastic take on the Japanese Earthquake Covering all the million things that went fantastically well: http://www.kalzumeus.com/2011/03/13/some-perspective-on-the-japan-earthquake/
http://planetsave.com/2011/03/18/canadian-nuclear-plant-leaks-radioactive-water-into-lake-ontario/ With all the focus placed on the Japanese radiation leak as well as the toxic plume of radioactive particles (possibly containing uranium and plutonium) heading for the United States, another potential disaster is receiving virtually no attention. Of course, attention should be paid to the Japanese situation. Nevertheless, it seems the continent of North America is being hit from two sides in terms of radiation danger. On 16 Mar, a report was released by the Canadian Broadcasting Corporation (CBC) stating that Canada's Ontario Power Generation has released radioactive water into Lake Ontario via a leak in the Pickering A nuclear generating station. As a result of what appears to be a pump seal failure, tens of thousands of litres of radioactive water escaped the generating station on Monday and ended up in Lake Ontario. This is concerning for a number of reasons, but it is especially concerning considering the fact that Lake Ontario is the main source of drinking water for millions of people....
Dan Goodin in San Francisco, *The Register*, 22 Mar 2011 http://www.theregister.co.uk/2011/03/22/scada_exploits_released/ [Thanks to Jeremy Epstein. PGN] The security of software used to control hardware at nuclear plants, gas refineries and other industrial settings is coming under renewed scrutiny as researchers released attack code exploiting dozens of serious vulnerabilities in widely used programs. The flaws, which reside in programs sold by Siemens, Iconics, 7-Technologies, Datac, and Control Microsystems, in many cases make it possible for attackers to remotely execute code when the so-called supervisory control and data acquisition software is installed on machines connected to the internet. Attack code was released by researchers from two separate security camps over the past week. "SCADA is a critical field but nobody really cares about it," Luigi Auriemma, one of the researchers, wrote in an email sent to The Register. "That's also the reason why I have preferred to release these vulnerabilities under the full-disclosure philosophy." The vulnerability dump includes proof-of-concept code for at least 34 vulnerabilities in widely used SCADA programs sold by four different vendors. Auriemma said the majority of the bugs allow code execution, while others allow attackers to access sensitive data stored in configuration files and one makes it possible to disrupt equipment that uses the software. He included a complete rundown of the vulnerabilities and their corresponding PoC code in a post published on Monday to the Bugtraq mail list. [...]
On 8 Mar 2011, shortly after 9 am, a Berlin ditch-digger managed a coup that would have made a terrorist proud. He found the single point of failure - the three electrical mains cables that run into the Bundestag. The mains were cut, and suddenly the parliament building and three office buildings in the immediate neighborhood were plunged into darkness. They swore. They waited a bit. They twittered - at least the mobile telephones still had juice, ever if the computers and coffee pots had died. Then an announcement came through by megaphone: Don't use the toilets! It seems that the modern toilets in the German parliament are all electronic flush deals. No juice, no flush. Minutes dragged on to hours. There was still no electricity. Luckily, it was not a day in which parliament was meeting, there were just the workers around who were told to go home. The chancellor, it seems, was in a better position. Her offices have an emergency electrical system that actually worked. So Germany was not completely thrown into anarchy for half a day, if something important had happened in the world, it would have been possible to get the chancellor on the phone, although she couldn't reach her important files that were on a server somewhere deep in the blackout. So we are back to the simple risks: Single point of failure. Will they never learn? Debora Weber-Wulff, HTW Berlin, Treskowallee 8, 10313 Berlin +49-30-5019-2440 email@example.com http://www.f4.htw-berlin.de/people/weberwu/
Andriaus Vaitkeviiaus, Estonian student finds flaw in e-voting, seeks nullification of result, alfa.lt, 10 Mar 2011 http://www.alfa.lt/straipsnis/10740189/?Estonian.student.finds.flaw.in.e.voting..seeks.nullification.of.result=2011-03-10_10-28 A university student claims to have found a fatal flaw in the online election software that could make it possible for a virus to block certain candidates without the voter ever knowing about that tampering had occurred. "Those who are operating the system have unfortunately not done their work well as they have not explained these risks to the electoral committee and candidates," said Paavo Pihelgas, a student at the University of Tartu, who has sent the election committee a complaint =seeking nullification of the election result.
Aberdeen Harbour: ships collide, caught on camera On 26 Feb 2011, the SBS Typhoon collided with VOS Scout head-on and forced her into Ocean Searcher. The Typhoon's owners said the accident was caused by a software fault—“a glitch in fitting new, high-tech equipment'' for a new dynamic positioning system. Minor damage to each ship was reported, and no injuries. [Source: BBC News, PGN-ed] www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-12689927
The UK Ministry of Defence has informed Ofcom of the following GPS jamming exercise: Dates: Jamming will be conducted on a maximum of 3 week-days in the period 10-21 July 2011.Times: 0900 -1730 BST. Location: Jamming aircraft will orbit at 10,000ft above mean sea-level (AMSL) along a 50nm flightpath on a heading of 270°T from Kirkwall, starting 10nm to the west of Kirkwall and ending 60nm to the west of Kirkwall Possible areas affected: The GPS jamming is likely to affect civilian Standard Positioning Service (SPS) receivers over a large area. A minimum jammer to signal vulnerability of 30dB has been assumed for a civilian receiver. Signal theory suggests that a SPS civilian receiver should have approximately 32dB of jamming resistance. Safety of Life Operations: Safety of life operations will take precedence over exercise activities at all times. To this end, the AWC is open to further discussion with any official recipient on the potential implications of this jamming exercise. Contact point: During the exercise, any official recipient (or their delegated representative) and any member of the Emergency Services may terminate the jamming for safety reasons by calling the contact numbers below: (1) Primary: Duty Controller Flying (TLT), RAF Kinloss - Tel: 01309 617857. (2) Backup: Duty Controller Flying (TLT), RAF Lossiemouth - Tel: 01343 817428. (3) Tertiary: Duty Air Surveillance Officer, National Air and Space Operations Centre Tel: 01494 494812. Note: Safety of life operations will take precedence over exercise activities at all times.
http://talksatellite.com/EMEA-A1474.htm">http://talksatellite.com/EMEA-A1474.htm A couple of quotes from the article: We regularly detect instances of GPS jammers in use as we monitor radio activity around the UK. The plot from one of our detectors shows one which we saw in use on the A4 near Kew Bridge. A network of monitors in our major urban centres will allow us to monitor use of these jamming devices and get them turned off as soon as they are detected. This network will also act as a detector of criminal activity; there is no legitimate use for this jamming equipment. My comments: The proposed "cure" is to locate and remove jammers. I don't know what kind of signal current jammers transmit. But, considering the very low power and wide spectrum of the GPS signal, it should not be difficult to build a jammer that is virtually impossible to locate. You can only home in on a transmitter if you can "see" it above the background noise. In my opinion, the best cure is to avoid deploying GPS-based applications that give an incentive for jamming. Road tolling is the first example that springs to mind.
As we know, theft of copper has become an increasingly serious problem. According to an item in the March issue of Modern Railways magazine, it has now caused a "major railway accident" in the Netherlands. It happened at Zevenaar, near the Dutch-German border, on January 11. The thieves took away more than 300 m (1,000 feet) of wiring, and apparently had expert knowledge since they selected cables whose absence would not be immediately detected as a fault. Consequently the signaling system was unable to detect trains in certain positions, and an Amsterdam-Cologne Inter-City Express (ICE) was switched onto a track that was actually occupied by a stationary train of empty flatcars used for container traffic. The front of the ICE sideswiped the last few flatcars, and cars of both trains were derailed. There were no deaths or serious injuries, but once the signaling system was failing to detect trains, it was clearly just a matter of luck as to what trains would collide and exactly how. As it is, repairs to the track and trains are expected to cost 1,000,000 euros. Mark Brader, Toronto, firstname.lastname@example.org | "Volts are like proof." --Steve Summit
John P. Mello, Jr. writing on the testimony of James Lewis (CSIS): Examining the Cyber Threat to Critical Infrastructure and the American Economy; Efforts to make Internet secure are ineffective, 18 Mar 2011 http://www.gsnmagazine.com/node/22713?c=cyber_security James Lewis: While some progress has been made by some federal agencies in making cyberspace secure, overall efforts have been ineffective, according to a well-known security expert. "What we are doing now to secure cyberspace is not working," a House subcommittee was told March 16 by James Lewis, director and a senior fellow in the Technology and Public Policy program at the Center for Strategic and International Studies in Washington, DC (CSIS.org). "There's been real progress at some agencies like DHS, but we need to rethink our approach," he told the Cybersecurity, Infrastructure Protection and Security Technologies panel. Military establishments in some countries have the capability to launch a cyber attack on the United States, he maintained. "They're not going to launch a cyber attack because they're not going to start a war for no reason with the U.S., they're deterred by our military, but if they ever did attack us, we are unprepared to defend ourselves." Terrorists don't have the capability—yet—to launch cyber attacks, however groups like al-Qaeda are trying to obtain the capability, he said. "Perhaps more worrisome. Iran and North Korea are developing cyber-attack capabilities. When these terrorist and rogue states can launch a cyber attack, they, too, will find that we're unprepared." He declared that cyber crime and cyber espionage are daily occurrences in the United States and are doing long-term damage to the nation's economy and global competitiveness. What's more, they set the stage for cyber attacks. "Some of our opponents use cyber criminals as mercenaries. Our most advanced opponents in cyber crime and cyber espionage can overpower even the most technologically sophisticated U.S. company." He called for shelving the status quo in cyber security. "We need a new strategy that uses all the tools of American power—military, law enforcement, homeland security, partnership with the private sector," he said. "If we can come up with this new combined strategy, we will be able to do something effective to protect ourselves, but we're not there yet by any stretch of the imagination."
On 24 Feb 2011, Google made a change to their search algorithm that has devastated the search rankings of many sites. According to this article, it was done to downgrade so-called "farmer" websites that have shallow, low-value content. http://searchengineland.com/google-forecloses-on-content-farms-with-farmer-algorithm-update-66071 As evidenced by the reader comments (more like complaints) at the end of the article, many sites with high-value content have seen drastic reductions in visitors. One of my favorite websites is http://www.waynesthisandthat.com written by a retired engineer. He writes about his hobbies and interests, and the site is high-value, original content. But he got hit hard—an average of 8,500 visits daily before the 24th dropped to 6,500 afterward, though there were 14,000 on the 24th. Risks? Not many for a hobbyist site, other than less satisfaction from creating and adding to it. For a commercial site, it could have tremendous economic impact. In the big picture, Google may have developed too much dominance in this space, like IBM or AT&T did in their spaces before the consent decrees of 1956.
I think this takes the concept of corporate email filters that block naughty words to a whole new level: "... A Beijing entrepreneur, discussing restaurant choices with his fiance over their cellphones last week, quoted Queen Gertrude's response to Hamlet: “The lady doth protest too much, methinks.'' The second time he said the word `protest', her phone cut off." http://www.nytimes.com/2011/03/22/world/asia/22china.html?_r=3 robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu
Gabriel Dance, Computers Get Better at Knowing When to Hold 'Em or Fold 'Em: Smarter Than You Think: Invasion of the Poker Bots, *The New York Times*, 14 March 2011, National Edition pp. A13,A16. Playing against opponents in online poker, a professional poker player -- Bryan Taylor—found some of his frequent opponents were playing quite similarly on PokerStars. After an investigation, he discovered that his opponents were in fact computer programs masquerading as people—and are so much better than they used to be that they are very difficult to beat [especially if they are going to clean you out, or worse, if the gambling site were itself cheating. PGN]. Bryan managed to get PokerStars to shut down some of the bots. On the other hand, poker bots are widely available on the Internet, and seem to be proliferating widely! (Although Internet gambling is illegal in the U.S., many sites are off-shore and widely used.) [I saw *The Sting* on TV last night for the Nth time, with its own lessons on clever scams. But I am once again reminded that anyone thinking he or she can make easy money on the Internet from an off-shore game is probably one of those who believes that electronic voting machines are absolutely infallible—and especially the off-shore ones run by unknown third parties. Caveat aleator! PGN]
No, it's not a joke. Marvin Wimberly was afraid he was going to lose his job at Bob's Space Racers, maker of Whac-A-Mole. So he modified the software (who knew there was software in those things?) so after some number of moles, they stop popping up - and he'd keep his job fixing the software. I heard this first on NPR's Wait Wait (a comedy quiz show), and wasn't convinced it was true. (See http://www.npr.org/2011/03/05/134276249/Bluff-The-Listener for the transcript.) But an Orlando TV station is also reporting it (http://www.wftv.com/news/26986709/detail.html) and other seemingly mainstream news sources. The charge is for infringing on Bob's intellectual property, punishable by 15 years in jail. I never knew moles had IP. I'm not sure if the risk is the obvious insider threat, or using software to implement such a game, or my gullibility in believing such a fish story....
*The NY Times* reports that New Jersey came close to selling used computers with files on abused children, employee evaluations, tax returns, lists of passwords, memoranda from a judge regarding possible lawyer misconduct, etc. According to a study by the state comptroller, 79% of the machines being sold held data, "much of it confidential". Nothing new here - there have been studies showing this before. Cf. Simson Garfinkel "Remembrance of Data Passed: Used Disk Drives and Computer Forensics", USENIX LISA 2004 (www.usenix.org/event/lisa04/tech/talks/garfinkel.pdf). Just sad that this is still happening... Perhaps this was the most interesting part: "[The comptroller's] report says that one agency had a device that magnetically erased computer drives, but that employees did not like to use it because it was noisy." Do you suppose government agencies that handle classified data have such a cavalier attitude about data protection? http://www.nytimes.com/2011/03/10/nyregion/10computers.html
We hear of so many clueless, unresponsive companies that i thought I would report a success story. I recently got an email from National Car rental about their Emerald Club (I am a member), asking me to click on a link inside the email. But the URL for that link, a long complex one, was to the site cl.exct.net/... . So I sent my usual letter of complaint, explaining that this type of letter was teaching people to fall for phishing attempts. I send these letters out a lot; I never get any answers (except sometimes a form letter thanking me for writing). But hey, National forwarded my letter to an assistant VP, who said: "Thank you for your recent comment regarding our update links. You were kind enough to point out to us the flaw in having such a long link not directly associated with our brand. In today's world, there is no doubt that many of our customers would see this as a phishing e-mail. Certainly this is the opposite of the service we are trying to provide in this e-mail. "As a result of your comment we are in the process of introducing a brand friendly link. We hope to roll this out on all new emails beginning in April." Rare successes should be celebrated. Ideally, these requests should be unnecessary, but it is nice to see a company that is trying to help reduce risks. Don Norman, www.jnd.org, email@example.com
27th Annual Computer Security Applications Conference (ACSAC 2011) Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA 5-9 December 2011 http://www.acsac.org CALL FOR PARTICIPATION The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences. If you are developing, researching, or implementing practical security solutions, consider sharing your experience and expertise at ACSAC. We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. [...] SUBMISSION DEADLINES: Papers (peer-reviewed), Case Studies, Courses/Tutorials, Panels, Workshops all 6 June 2011; Posters and Works-in-Progress 2 Sept 2011 TECHNICAL TRACK PAPER SUBMISSIONS: Chair: John McDermott, Naval Research Lab Co-Chair: Michael Locasto, University of Calgary CASE STUDIES IN APPLIED SECURITY: Chair: Steven Rome, Booz Allen Hamilton Co-Chair: Ken Shotting, DoD [Long item PGN-ed for RISKS. See http://www.acsac.org for details. This is an excellent conference (with workshops) for application security. PGN]
Computers, Freedom, and Privacy: Research Poster Showcase Submission Site: https://www.easychair.org/account/signin.cgi?conf=cfp21research This year's Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more than a decade, CFP has anticipated policy trends and issues, and has shaped the public debate on the future of privacy and freedom in an ever more technology-filled world. CFP focuses on topics such as freedom of speech, privacy, intellectual property, cybersecurity, telecommunications, electronic democracy, digital rights and responsibilities, and the future of technologies and their implications. Researchers who work in any of these areas are invited to submit research abstracts. We seek research abstracts describing recent or ongoing research in all areas relevant to the conference themes. We are especially interested in research abstracts that present results with clearly articulated policy implications. Abstracts should be written for a general audience and should avoid using technical or legal jargon. Submitted research abstracts can be either unpublished original research (including work in progress), or research that has been recently published (2010 or 2011). Accepted abstracts or links to published papers will be posted on the CFP web site and authors will be invited to present their work in the form of a poster during a poster session on June 16, 2011. The authors of the best research posters will be invited to participate in a panel discussion. Please submit your abstract online at: https://www.easychair.org/account/signin.cgi?conf=cfp21research If the research has been published, also include the full citation and URL. Attach a 1-2 page extended abstract or the full paper as a PDF file. Please note that poster abstracts should be formatted like short papers, not like posters. Authors of accepted posters will be sent information about how to prepare and format posters for the conference. Submissions will close at 5pm, US East Coast time, the evening of April 3. * Co-chair Serge Egelman <firstname.lastname@example.org>, NIST * Co-chair Jeremy Epstein <email@example.com>, SRI * L Jean Camp <firstname.lastname@example.org>, Indiana University * Joseph Lorenzo Hall <email@example.com>, UC Berkeley / Princeton * Andy Oram <firstname.lastname@example.org>, O'Reilly Media * Janice Tsai <email@example.com>, Microsoft
Please report problems with the web pages to the maintainer