The RISKS Digest
Volume 26 Issue 38

Tuesday, 22nd March 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Interconnectivity—Local, Global, and All-ways
Canadian Nuclear Plant Leaks Radioactive Water Into Lake Ontario
Geoff Goodfellow
Dozens of exploits released for popular SCADA programs
Dan Goodin
German Parliament in the Dark
Debora Weber-Wulff
Estonian voting system flawed
Three-ship collision attributed to software
Rich Brown
GPS jamming trial
Martyn Thomas
UK Royal Academy of Engineering report on GPS jamming
Erling Kristiansen
Copper thieves cause train wreck
Mark Brader
Efforts to make Internet secure are ineffective
James Lewis
Google's "Farmer" search tweaks devastate website rankings
Mark Thorson
China Tightens Censorship of Electronic Communications
Robert Schaefer
Risks of playing computerized poker
Gabriel Dance
Insider threat against Whac-A-Mole
Jeremy Epstein
NJ came close to selling private data at auction
Jeremy Epstein
Congratulating National Car rental
Don Norman
ACSAC 2011 Call for Participation
Jeremy Epstein
Computers/Freedom/Privacy Research/Poster CFP
Jeremy Epstein
Info on RISKS (comp.risks)

Interconnectivity—Local, Global, and All-ways

"Peter G. Neumann" <>
Tue, 22 Mar 2011 14:14:32 PDT

The recent 9.0 earthquake in Japan and the ensuing tsunami remind us once
again about how globally interrelated everything has become.  For example,
the fishing fleet in Crescent City, California was essentially destroyed by
the tsunami—all the way across the Pacific.  Just-in-time parts supplies
for various automobile manufacturers were disrupted in many different
countries.  Many airport schedules were dramatically affected.  Radiation
concerns abound in Japan, and are echoed around the world with respect to
other potentially susceptible nuclear power plants.

Planning for worst cases is seemingly a losing battle under serious
emergencies in which the design and operational assumptions are dramatically
exceeded.  That certainly compounded the long-term future of the affected
Japanese reactors.  It also reminded us that backup systems can present
serious risks, especially when they are also wiped out and when the standby
power runs out.

Massive propagating electrical outages have recurred since 1965, despite
continual reassurances that they can no longer happen.

With respect to trustworthy computing, the Department of Homeland Security
Cybersecurity Roadmap discusses eleven topic areas in which extensive work
is needed with respect to research, development, test, evaluation, and
technology transfer (  An
Appendix to that report (Disclaimer: I wrote that appendix) illustrates the
remarkable extent to which each of those eleven areas can depends on the
successful operations in the other areas.  But even more remarkable is the
extent to which all of the critical national infrstructures depend on
computer-communication systems and of course in most cases the Internet
itself.  This may be old stuff to RISKS readers, but too many others do not
seem to get it.  When push comes to shove, we wind up with short-sighted
approaches.  The counter argument says that risk analysis showed that what
was done was prudent.  Prudent, schmoodent.  We still don't build systems
and applications that are trustworthy even under ordinary circumstances.

Thus, we are all in this together.  To paraphrase John Dunne (and to
acknowledge Bob Morris, who in September 1988 at a CSTB meeting in
Washington DC said that “To a first approximation, every computer in the
world is connected with every other computer.''),

  No system is an island, in spite of itself.
  Every mishaps diminishes me—and potentially many others.

I'm donne with my soape boxe.  However, it is worth noting that the
Japanese are probably better prepared for major earthquakes than any other
nation.  For example, consider this item from Nic Pottier in Dave Farber's
IP distribution:

  Fantastic take on the Japanese Earthquake

  Covering all the million things that went fantastically well:

Canadian Nuclear Plant Leaks Radioactive Water Into Lake Ontario

Geoff Goodfellow <>
March 19, 2011 10:51:44 PM GMT-04:00

With all the focus placed on the Japanese radiation leak as well as the
toxic plume of radioactive particles (possibly containing uranium and
plutonium) heading for the United States, another potential disaster is
receiving virtually no attention.

Of course, attention should be paid to the Japanese situation. Nevertheless,
it seems the continent of North America is being hit from two sides in terms
of radiation danger.

On 16 Mar, a report was released by the Canadian Broadcasting Corporation
(CBC) stating that Canada's Ontario Power Generation has released
radioactive water into Lake Ontario via a leak in the Pickering A nuclear
generating station.

As a result of what appears to be a pump seal failure, tens of thousands of
litres of radioactive water escaped the generating station on Monday and
ended up in Lake Ontario.

This is concerning for a number of reasons, but it is especially concerning
considering the fact that Lake Ontario is the main source of drinking water
for millions of people....

Dozens of exploits released for popular SCADA programs (Dan Goodin)

"Peter G. Neumann" <>
Tue, 22 Mar 2011 13:42:48 PDT

Dan Goodin in San Francisco, *The Register*, 22 Mar 2011
  [Thanks to Jeremy Epstein.  PGN]

The security of software used to control hardware at nuclear plants, gas
refineries and other industrial settings is coming under renewed scrutiny as
researchers released attack code exploiting dozens of serious
vulnerabilities in widely used programs.

The flaws, which reside in programs sold by Siemens, Iconics,
7-Technologies, Datac, and Control Microsystems, in many cases make it
possible for attackers to remotely execute code when the so-called
supervisory control and data acquisition software is installed on machines
connected to the internet. Attack code was released by researchers from two
separate security camps over the past week.

"SCADA is a critical field but nobody really cares about it," Luigi
Auriemma, one of the researchers, wrote in an email sent to The
Register. "That's also the reason why I have preferred to release these
vulnerabilities under the full-disclosure philosophy."

The vulnerability dump includes proof-of-concept code for at least 34
vulnerabilities in widely used SCADA programs sold by four different
vendors. Auriemma said the majority of the bugs allow code execution, while
others allow attackers to access sensitive data stored in configuration
files and one makes it possible to disrupt equipment that uses the
software. He included a complete rundown of the vulnerabilities and their
corresponding PoC code in a post published on Monday to the Bugtraq mail
list. [...]

German Parliament in the Dark

Debora Weber-Wulff <>
Wed, 09 Mar 2011 08:15:19 +0100

On 8 Mar 2011, shortly after 9 am, a Berlin ditch-digger managed a coup that
would have made a terrorist proud. He found the single point of failure -
the three electrical mains cables that run into the Bundestag. The mains
were cut, and suddenly the parliament building and three office buildings in
the immediate neighborhood were plunged into darkness.

They swore. They waited a bit. They twittered - at least the mobile
telephones still had juice, ever if the computers and coffee pots had
died. Then an announcement came through by megaphone: Don't use the toilets!

It seems that the modern toilets in the German parliament are all electronic
flush deals. No juice, no flush.

Minutes dragged on to hours. There was still no electricity.  Luckily, it
was not a day in which parliament was meeting, there were just the workers
around who were told to go home.

The chancellor, it seems, was in a better position. Her offices have an
emergency electrical system that actually worked. So Germany was not
completely thrown into anarchy for half a day, if something important had
happened in the world, it would have been possible to get the chancellor on
the phone, although she couldn't reach her important files that were on a
server somewhere deep in the blackout.

So we are back to the simple risks: Single point of failure.

Will they never learn?

Debora Weber-Wulff, HTW Berlin, Treskowallee 8, 10313 Berlin +49-30-5019-2440

Estonian voting system flawed

"Peter G. Neumann" <>
Sun, 13 Mar 2011 19:56:38 PDT

Andriaus Vaitkeviiaus, Estonian student finds flaw in e-voting, seeks
nullification of result,, 10 Mar 2011

A university student claims to have found a fatal flaw in the online
election software that could make it possible for a virus to block certain
candidates without the voter ever knowing about that tampering had occurred.

"Those who are operating the system have unfortunately not done their work
well as they have not explained these risks to the electoral committee and
candidates," said Paavo Pihelgas, a student at the University of Tartu, who
has sent the election committee a complaint =seeking nullification of the
election result.

Three-ship collision attributed to software

Rich Brown <>
Thu, 10 Mar 2011 08:48:44 -0600

Aberdeen Harbour: ships collide, caught on camera

On 26 Feb 2011, the SBS Typhoon collided with VOS Scout head-on and forced
her into Ocean Searcher.  The Typhoon's owners said the accident was caused
by a software fault—“a glitch in fitting new, high-tech equipment'' for
a new dynamic positioning system.  Minor damage to each ship was reported,
and no injuries.  [Source: BBC News, PGN-ed]

GPS jamming trial

Martyn Thomas <>
Mon, 21 Mar 2011 09:16:10 +0000

The UK Ministry of Defence has informed Ofcom of the following GPS jamming

Dates: Jamming will be conducted on a maximum of 3 week-days in the period
10-21 July 2011.Times: 0900 -1730 BST.

Location: Jamming aircraft will orbit at 10,000ft above mean sea-level
(AMSL) along a 50nm flightpath on a heading of 270T from Kirkwall,
starting 10nm to the west of Kirkwall and ending 60nm to the west of

Possible areas affected: The GPS jamming is likely to affect civilian
Standard Positioning Service (SPS) receivers over a large area.  A minimum
jammer to signal vulnerability of 30dB has been assumed for a civilian
receiver.  Signal theory suggests that a SPS civilian receiver should have
approximately 32dB of jamming resistance.

Safety of Life Operations: Safety of life operations will take precedence
over exercise activities at all times. To this end, the AWC is open to
further discussion with any official recipient on the potential implications
of this jamming exercise.

Contact point: During the exercise, any official recipient (or their
delegated representative) and any member of the Emergency Services may
terminate the jamming for safety reasons by calling the contact numbers

(1) Primary: Duty Controller Flying (TLT), RAF Kinloss - Tel: 01309 617857.

(2) Backup: Duty Controller Flying (TLT), RAF Lossiemouth - Tel: 01343

(3) Tertiary: Duty Air Surveillance Officer, National Air and Space
Operations Centre Tel: 01494 494812.

Note: Safety of life operations will take precedence over exercise
activities at all times.

UK Royal Academy of Engineering report on GPS jamming

Erling Kristiansen <>
Sat, 12 Mar 2011 10:41:25 +0100">
A couple of quotes from the article:

  We regularly detect instances of GPS jammers in use as we monitor radio
  activity around the UK. The plot from one of our detectors shows one which
  we saw in use on the A4 near Kew Bridge.

  A network of monitors in our major urban centres will allow us to monitor
  use of these jamming devices and get them turned off as soon as they are
  detected. This network will also act as a detector of criminal activity;
  there is no legitimate use for this jamming equipment.

My comments:

The proposed "cure" is to locate and remove jammers.  I don't know what kind
of signal current jammers transmit. But, considering the very low power and
wide spectrum of the GPS signal, it should not be difficult to build a
jammer that is virtually impossible to locate. You can only home in on a
transmitter if you can "see" it above the background noise.

In my opinion, the best cure is to avoid deploying GPS-based applications
that give an incentive for jamming. Road tolling is the first example that
springs to mind.

Copper thieves cause train wreck

Mark Brader
Fri, 18 Mar 2011 07:05:00 -0400 (EDT)

As we know, theft of copper has become an increasingly serious problem.
According to an item in the March issue of Modern Railways magazine, it has
now caused a "major railway accident" in the Netherlands.

It happened at Zevenaar, near the Dutch-German border, on January 11.  The
thieves took away more than 300 m (1,000 feet) of wiring, and apparently had
expert knowledge since they selected cables whose absence would not be
immediately detected as a fault.

Consequently the signaling system was unable to detect trains in certain
positions, and an Amsterdam-Cologne Inter-City Express (ICE) was switched
onto a track that was actually occupied by a stationary train of empty
flatcars used for container traffic.  The front of the ICE sideswiped the
last few flatcars, and cars of both trains were derailed.

There were no deaths or serious injuries, but once the signaling system was
failing to detect trains, it was clearly just a matter of luck as to what
trains would collide and exactly how.  As it is, repairs to the track and
trains are expected to cost 1,000,000 euros.

Mark Brader, Toronto, | "Volts are like proof." --Steve Summit

Efforts to make Internet secure are ineffective (James Lewis)

"Peter G. Neumann" <>
Mon, 21 Mar 2011 1:47:39 PDT

John P. Mello, Jr. writing on the testimony of James Lewis (CSIS):
Examining the Cyber Threat to Critical Infrastructure and the American
Economy; Efforts to make Internet secure are ineffective, 18 Mar 2011

James Lewis: While some progress has been made by some federal agencies in
making cyberspace secure, overall efforts have been ineffective, according
to a well-known security expert.  "What we are doing now to secure
cyberspace is not working," a House subcommittee was told March 16 by James
Lewis, director and a senior fellow in the Technology and Public Policy
program at the Center for Strategic and International Studies in Washington,
DC (  "There's been real progress at some agencies like DHS, but
we need to rethink our approach," he told the Cybersecurity, Infrastructure
Protection and Security Technologies panel.

Military establishments in some countries have the capability to launch a
cyber attack on the United States, he maintained. "They're not going to
launch a cyber attack because they're not going to start a war for no reason
with the U.S., they're deterred by our military, but if they ever did attack
us, we are unprepared to defend ourselves."

Terrorists don't have the capability—yet—to launch cyber attacks,
however groups like al-Qaeda are trying to obtain the capability, he
said. "Perhaps more worrisome.  Iran and North Korea are developing
cyber-attack capabilities. When these terrorist and rogue states can launch
a cyber attack, they, too, will find that we're unprepared."  He declared
that cyber crime and cyber espionage are daily occurrences in the United
States and are doing long-term damage to the nation's economy and global
competitiveness.  What's more, they set the stage for cyber attacks. "Some
of our opponents use cyber criminals as mercenaries.  Our most advanced
opponents in cyber crime and cyber espionage can overpower even the most
technologically sophisticated U.S. company."

He called for shelving the status quo in cyber security. "We need a new
strategy that uses all the tools of American power—military, law
enforcement, homeland security, partnership with the private sector," he
said. "If we can come up with this new combined strategy, we will be able to
do something effective to protect ourselves, but we're not there yet by any
stretch of the imagination."

Google's "Farmer" search tweaks devastate website rankings

Mark Thorson <>
Thu, 17 Mar 2011 20:00:56 -0700

On 24 Feb 2011, Google made a change to their search algorithm that has
devastated the search rankings of many sites.  According to this article, it
was done to downgrade so-called "farmer" websites that have shallow,
low-value content.

As evidenced by the reader comments (more like complaints) at the end of the
article, many sites with high-value content have seen drastic reductions in
visitors.  One of my favorite websites is
written by a retired engineer.  He writes about his hobbies and interests,
and the site is high-value, original content.  But he got hit hard—an
average of 8,500 visits daily before the 24th dropped to 6,500 afterward,
though there were 14,000 on the 24th.

Risks?  Not many for a hobbyist site, other than less satisfaction from
creating and adding to it.  For a commercial site, it could have tremendous
economic impact.  In the big picture, Google may have developed too much
dominance in this space, like IBM or AT&T did in their spaces before the
consent decrees of 1956.

China Tightens Censorship of Electronic Communications

Robert Schaefer <>
Tue, 22 Mar 2011 15:57:21 -0400

I think this takes the concept of corporate email filters that block naughty
words to a whole new level:

  "... A Beijing entrepreneur, discussing restaurant choices with his
  fiance over their cellphones last week, quoted Queen Gertrude's
  response to Hamlet: “The lady doth protest too much, methinks.''  The
  second time he said the word `protest', her phone cut off."

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886  781-981-5767

Risks of playing computerized poker (Gabriel Dance)

"Peter G. Neumann" <>
Wed, 16 Mar 2011 22:12:26 PDT

Gabriel Dance, Computers Get Better at Knowing When to Hold 'Em or Fold 'Em:
Smarter Than You Think: Invasion of the Poker Bots, *The New York Times*,
14 March 2011, National Edition pp. A13,A16.

Playing against opponents in online poker, a professional poker player --
Bryan Taylor—found some of his frequent opponents were playing quite
similarly on PokerStars.  After an investigation, he discovered that his
opponents were in fact computer programs masquerading as people—and are
so much better than they used to be that they are very difficult to beat
[especially if they are going to clean you out, or worse, if the gambling
site were itself cheating.  PGN].  Bryan managed to get PokerStars to shut
down some of the bots.  On the other hand, poker bots are widely available
on the Internet, and seem to be proliferating widely!  (Although Internet
gambling is illegal in the U.S., many sites are off-shore and widely used.)

  [I saw *The Sting* on TV last night for the Nth time, with its own lessons
  on clever scams.  But I am once again reminded that anyone thinking he or
  she can make easy money on the Internet from an off-shore game is probably
  one of those who believes that electronic voting machines are absolutely
  infallible—and especially the off-shore ones run by unknown third
  parties.  Caveat aleator!  PGN]

Insider threat against Whac-A-Mole

Jeremy Epstein <>
Tue, 15 Mar 2011 16:26:42 -0400

No, it's not a joke.  Marvin Wimberly was afraid he was going to lose his
job at Bob's Space Racers, maker of Whac-A-Mole.  So he modified the
software (who knew there was software in those things?) so after some number
of moles, they stop popping up - and he'd keep his job fixing the software.

I heard this first on NPR's Wait Wait (a comedy quiz show), and wasn't
convinced it was true.  (See for the
transcript.)  But an Orlando TV station is also reporting it
( and other seemingly
mainstream news sources.

The charge is for infringing on Bob's intellectual property, punishable by
15 years in jail.  I never knew moles had IP.

I'm not sure if the risk is the obvious insider threat, or using software to
implement such a game, or my gullibility in believing such a fish story....

NJ came close to selling private data at auction

Jeremy Epstein <>
Thu, 10 Mar 2011 21:24:22 -0500

*The NY Times* reports that New Jersey came close to selling used computers
with files on abused children, employee evaluations, tax returns, lists of
passwords, memoranda from a judge regarding possible lawyer misconduct,
etc. According to a study by the state comptroller, 79% of the machines
being sold held data, "much of it confidential".

Nothing new here - there have been studies showing this before.  Cf. Simson
Garfinkel "Remembrance of Data Passed: Used Disk Drives and Computer
Forensics", USENIX LISA 2004
(  Just sad that this
is still happening...

Perhaps this was the most interesting part: "[The comptroller's] report says
that one agency had a device that magnetically erased computer drives, but
that employees did not like to use it because it was noisy."  Do you suppose
government agencies that handle classified data have such a cavalier
attitude about data protection?

Congratulating National Car rental

Don Norman <>
Wed, 9 Mar 2011 16:22:58 -0800

We hear of so many clueless, unresponsive companies that i thought I
would report a success story. I recently got an email from National
Car rental about their Emerald Club (I am a member), asking me to
click on a link inside the email. But the URL for that link, a long
complex one, was to the site   . So I sent my usual
letter of complaint, explaining that this type of letter was teaching
people to fall for phishing attempts.  I send these letters out a lot;
I never get any answers (except sometimes a form letter thanking me
for writing).

But hey, National forwarded my letter to an assistant VP, who said:

  "Thank you for your recent comment regarding our update links.  You
  were kind enough to point out to us the flaw in having such a long link
  not directly associated with our brand.  In today's world, there is no
  doubt that many of our customers would see this as a phishing
  e-mail.   Certainly this is the opposite of the service we are trying
  to provide in this e-mail.

  "As a result of your comment we are in the process of introducing a brand
  friendly link.  We hope to roll this out on all new emails beginning in

Rare successes should be celebrated. Ideally, these requests should be
unnecessary, but it is nice to see a company that is trying to help reduce

Don Norman,,

ACSAC 2011 Call for Participation

Jeremy Epstein <>
Thu, 17 Mar 2011 16:08:04 -0400

27th Annual Computer Security Applications Conference (ACSAC 2011)
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA
5-9 December 2011


The Annual Computer Security Applications Conference (ACSAC) is an
internationally recognized forum where practitioners, researchers, and
developers in information and system security meet to learn and to exchange
practical ideas and experiences. If you are developing, researching, or
implementing practical security solutions, consider sharing your experience
and expertise at ACSAC.

We are especially interested in submissions that address the application of
security technology, the implementation of systems, and lessons learned. [...]


Papers (peer-reviewed),  Case Studies,  Courses/Tutorials, Panels, Workshops
all 6 June 2011; Posters and Works-in-Progress 2 Sept 2011

  Chair: John McDermott, Naval Research Lab
  Co-Chair: Michael Locasto, University of Calgary

  Chair: Steven Rome, Booz Allen Hamilton
  Co-Chair: Ken Shotting, DoD

  [Long item PGN-ed for RISKS.  See for details.
  This is an excellent conference (with workshops) for application security.

Computers/Freedom/Privacy Research/Poster CFP

Jeremy Epstein <>
Mon, 14 Mar 2011 17:53:22 -0400

Computers, Freedom, and Privacy: Research Poster Showcase

Submission Site:

This year's Computers, Freedom and Privacy Conference will feature a
research showcase in the form of a research poster session as well as a
research panel that includes the authors of the best research posters. CFP
is the leading policy conference exploring the impact of the Internet,
computers, and communications technologies on society. For more than a
decade, CFP has anticipated policy trends and issues, and has shaped the
public debate on the future of privacy and freedom in an ever more
technology-filled world. CFP focuses on topics such as freedom of speech,
privacy, intellectual property, cybersecurity, telecommunications,
electronic democracy, digital rights and responsibilities, and the future of
technologies and their implications. Researchers who work in any of these
areas are invited to submit research abstracts.

We seek research abstracts describing recent or ongoing research in all
areas relevant to the conference themes. We are especially interested in
research abstracts that present results with clearly articulated policy
implications. Abstracts should be written for a general audience and
should avoid using technical or legal jargon.

Submitted research abstracts can be either unpublished original research
(including work in progress), or research that has been recently published
(2010 or 2011).

Accepted abstracts or links to published papers will be posted on the CFP
web site and authors will be invited to present their work in the form of a
poster during a poster session on June 16, 2011. The authors of the best
research posters will be invited to participate in a panel discussion.

Please submit your abstract online at:

If the research has been published, also include the full citation and
URL. Attach a 1-2 page extended abstract or the full paper as a PDF file.
Please note that poster abstracts should be formatted like short papers, not
like posters. Authors of accepted posters will be sent information about how
to prepare and format posters for the conference.

Submissions will close at 5pm, US East Coast time, the evening of April 3.

* Co-chair Serge Egelman <>, NIST
* Co-chair Jeremy Epstein <>, SRI
* L Jean Camp <>, Indiana University
* Joseph Lorenzo Hall <>, UC Berkeley / Princeton
* Andy Oram <>, O'Reilly Media
* Janice Tsai <>, Microsoft

Please report problems with the web pages to the maintainer