The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 43

Wednesday 20 April 2011

Contents

Some risk-related issues after the earthquake
ishikawa
Re: Single point of failure
Paul Robinson
Oak Ridge spear phishing
Jeremy Epstein
Exams in Turkey were all coded!
Hasan
Increasing risks due to leap seconds being ever more frequent
Theodor Norup
Obama admin: Please don't protect Americans' e-mail in the cloud
Lauren Weinstein
Increase in cyberattacks on critical infrastructures
McAfee/CSIS
Nuclear submarine documents leaked
Doug Hosking
Skype for Android User Data Leak
Gregg Keizer via Gene Wirchenko
Massive Russian hacker attack threatens freewheeling Ru.net
Lauren Weinstein
France outlaws secure hashed passwords—massive security FAIL
Lauren Weinstein
Apple AirPlay Private Key Exposed, Opening Door to AirPort Express Emulators
Arnold Kim via Dewayne Hendricks
More on the Epsilon fiasco
Robert X. Cringely via Gene Wirchenko
Epsilon reactions by Chase and Capital One
Andrew Klossner
'HTTPS Now' Campaign Urges Users to Take an Active Role in Protecting Internet Security
Eva Galperin
Info on RISKS (comp.risks)

Some risk-related issues after the earthquake

ishikawa <ishikawa@yk.rim.or.jp>
Tue, 12 Apr 2011 18:57:05 +0900

Update on RISKS-26.40: Some municipalities were lucky in that the system
integrator who supplied the computer system and offer maintenance services
have backups which were still safe and so the bulk of the information could
be saved (but the latest update, new births, and deaths, people moving out
and moving in, etc. are not reflected in the backup.)

Geographical diversity of locations to keep backups are often discussed in
computer security. How far is a good question. Japan experiences so many
earthquakes and there are so many fault lines (known and unknowns), I feel
it is not easy to figure out where important backups should be kept. Trying
to come up with a candidate location is almost like trying to figure out
which disks in RAID configuration is less likely to experience external
hazards. Now, government shall think of keeping backups in duplicate or even
triplicate in many corners of Japan. I am not kidding here. The after-shocks
from the big earthquake still continues and there have been rather large
ones in the last 48 hours or so.

In the lucky cases, some backups were found in the offices of system
integrators not affected by the disaster, and some are also duplicated at
the national government offices.

But some municipalities are not so lucky.  So, re-creating database for
citizens is required.

The situation is a real-world exercise of web of trust, so to speak.  Some
fundamental issues regarding IDs are being asked and temporarily solved at
this moment.

First of all, in some areas, the government offices and people who manned
them simply disappeared. (I have absolutely no idea how things will be
handled there. But national government is trying to build a new temporary ID
system. How do people establish their IDs? If enough number of neighbors say
he/she is what the person claims to be, will that be enough? )

A few municipalities, which still have some paper records, resort to
issuing ID paper based on the declaration of the name, address, birth date,
and such at make-shift counter when people come and ask for such ID papers
so that anything that requires ID papers (including application for
emergency assistance, etc.) will not be hindered by the lack of ID papers.
Presumably if the declared data don't match, ID will not be issued, but
what about old people who needs assistance even come to the office and
can't speak up or even is hard of hearing. I can see some trouble here.

The national government is trying to establish a temporary registration
system for the evacuees, some of who have lost every ID papers, and nowhere
to live except for the shelters right now. If they leave the current place
to move to other areas, they still need to record their movement. Otherwise
it would be difficult for them to receive fund from the national emergency
aid later.

The goodwill of people should make this attempt succeed, but I see many
risks of abuse by the people with bad intention, too. ID theft in its worst
form can happen.

The balance of the rigor of checking and swiftness to issue IDs is
requested.  We shall see if the temporary system works.

PS: On TV, I saw a disk data salvaging company offering special service to
the people who lost their family members and all their memories are digital
photos in their computers (and backup disks) that are submerged in the sea
water after tsunami struck. The sheer number of such disks on a rack is mind
boggling.  Back in the 1990's, I read that an executive of a large disk
company predicted that the biggest problems ahead with emerging large disk
capacity is not that of corporate data getting lost. A person comes into a
computer shop and says that the only nice photo he/she has of the
grandmother who passed away lately is in this malfunctioning disk and asked
if the shop can recover it. That is the problem, the executive said.  The
prediction has come true in grand scale.  (Of course, the executive assumed
that corporations have backup procedures in place. But many companies have
lost their financial data both in print and disks, and even backups last
month.)

PPS: The bottom line here is that backups kept in the same region (not in
the same office, or cities, even) was not good enough in a situation where a
shoreline extending few hundred kilometers were devastated by tsunami.  I
hate to bring up this expression in an international forum where different
religions are practiced, but I think the English phrase of biblical
proportion is an apt one here.

PPPS: Yes, this is the first time I experienced the phrase in many contracts
that will void them based on the "acts of god, .., mother nature, ..., etc."
came into effect.
The office where I work experienced several such cancellations resulting a
large loss of money on our end. But I digress.


Re: Single point of failure (Thomas, RISKS-26.39)

Paul Robinson <paul@paul-robinson.us>
Fri, 8 Apr 2011 17:51:59 -0700 (PDT)

> Will they never learn?

No, I don't think so.  We actually did have a means of redundancy for where
GPS didn't work or wasn't available.  It's called Loran, but because GPS was
so much cheaper to have around, and most users were no longer depending on
Loran, it was decided to save money by choosing to deprecate it and
discontinue its operation...

On a related note, the Chief of the San Francisco Fire Department has had to
depend upon having a fireboat in the harbor on constant readiness in case of
earthquake or other disaster disrupting the underground water supply to fire
hydrants.  The relevance of this security practice was made clear when the
1989 Loma Prieta earthquake made the fireboat pumping seawater to fire
equipment the only reliable means to fight fires; the water supply to the
hydrant system, as expected, was unavailable due to water main breaks from
the earthquake.

Literally every time there is a budget crisis, the Chief has to justify to
the city's Board of Supervisors about the necessity of keeping a fireboat on
immediate standby, and is always chronically asked if they really need to
spend money to keep it in a state of constant readiness.

The Lessons of history teach us - if they teach us anything - that no one
learns the lessons that history teaches us.


Oak Ridge spear phishing

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 20 Apr 2011 11:39:31 -0400

Oak Ridge National Labs (one of the big US energy research labs, along with
Sandia, Livermore, Los Alamos, etc) suffered loss of some amount of data,
due to a spear phishing attack.  "The attacks were launched through phishing
e-mails that were sent to some 573 lab employees. The e-mails were disguised
to appear like it came from the lab's HR department and purported to inform
employees of some benefits related changes."  Clicking on a link opened a
page that silently installed malware through a vulnerability in Internet
Explorer that was patched earlier in the week.

The interesting part was that they disclosed that of the 500+ employees who
received the e-mail, 57 clicked on the link.  (Different reports give several
different numbers of users who received the link, but all in the 500-600
range.)

To me, the surprising part is that so *few* clicked on the link.  Many of us
regularly receive e-mails from our employers telling us to click on links to
do various things, including signing up for benefits (as the Oak Ridge
example), fill out timecards, access paystubs, etc.  Employers, IMHO,
significantly contribute to the problem, because they train their employees
to click on links and are then surprised when they fall victim to spear
phishing attacks.

Of course the real problem is that clicking on a link shouldn't put us in
mortal danger!  Blaming the user who clicks on the link, or trying to train
them not to do it, is a losing proposition.

http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/
http://www.computerworld.com/s/article/9215962/Oak_Ridge_National_Lab_shuts_down_Internet_email_after_cyberattack

I've also written about the relevance of this attack to Internet voting on
the Freedom-To-Tinker blog at
http://www.freedom-to-tinker.com/blog/jeremyepstein/oak-ridge-spear-phishing-and-i-voting


Exams in Turkey were all coded!

<hasan1234@hushmail.com>
Fri, 08 Apr 2011 08:49:05 +0300

It turns out the majority of the entrance exams recently conducted (the last
several years), anything from entrance to the police academy to entrance to
universities have been coded. That is, the multiple choice answers were not
random, but used some simple patterns that have no doubt been whispered into
the ears of the selected few that were meant to be admitted.

Among the several patterns that have been determined, one pattern that I
read about was:

"Reorder the choices from the smallest to the largest value. The choice that
does NOT move from the original list, is the right answer. For example, the
answers to some question could be:
  a)500    b)700    c)400   d)100    e)200
reorder it:
  a)100    b)200    c)400   e)500    e)700
hence, (c) must be the right answer."  Using this method, they were able to
answer more than 75% of the university entrance exam.

The state-appointed directors that created these exams have denied any
wrongdoing and that the "computer" must be at fault, as usual.  The
discoverer of the method said that this was done to infiltrate more people
with religious upbringing into governmental layers.

There is a great uproar in Turkey, and the media is having a field day with
it—rightly so considering how hard these entrance exams are and for how
many years kids have to study to be able to go to a decent school in
Turkey. However, the government officials said they are satisfied that this
has been a misunderstanding, or a simple coincidence.


Increasing risks due to leap seconds being ever more frequent

Theodor Norup <theodor.norup@gmail.com>
Thu, 14 Apr 2011 22:58:06 +0200

Poul-Henning Kamp writes an article arguing that leap second handling poses
an increasing risk to safety-critical systems.
  http://queue.acm.org/detail.cfm?id=1967009,

The argumentation is roughly as follows:

1) Current earth models cannot predict insertion of leap seconds more than
   approx. 6 months in advance.
2) This means that computer systems' leap-second handling must be adjusted
   manually at short notice whenever a leap second is inserted.
3) This causes problems for more and more distributed systems that require
   an exactly coordinated interpretation of time.
4) The frequency of leap seconds will increase as the difference between
   atomic time and earth rotation increases quadratically with wall-clock time
   making the problem of 3) even worse.

QED. The RISK of malfunctioning systems will increase.

Of course, PHK suggests remedies, however, his paper and the subsequent
online discussion is hardly cause for optimism.

  [Of course, distributed systems that are designed to be synchronized to
  the leap-second are seemingly unrealistic in the first place, considering
  satellite delays, wire delays, etc.  PGN]


Obama admin: Please don't protect Americans' e-mail in the cloud

Lauren Weinstein <lauren@vortex.com>
Thu, 7 Apr 2011 17:10:03 -0700

Obama admin to Congress: Please don't protect Americans' e-mail in the cloud
http://j.mp/fnt4XW  (Wired)

The Obama administration is urging Congress not to adopt legislation that
would impose constitutional safeguards on Americans' e-mail stored in the
cloud.  As the law stands now, the authorities may obtain cloud e-mail
without a warrant if it is older than 180 days, thanks to the Electronic
Communications Privacy Act adopted in 1986.  At that time, e-mail left on a
third-party server for six months was considered to be abandoned, and thus
enjoyed less privacy protection.  However, the law demands warrants for the
authorities to seize e-mail from a person's hard drive.


Increase in cyberattacks on critical infrastructures

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 11 Apr 2011 9:04:48 PDT

McAfee and CSIS Report Reveals Dramatic Increase in Cyberattacks and
Sabotage on Critical Infrastructure Yet Organizations Remain Unprepared
[McAfee Press Release]
http://www.mcafee.com/us/about/news/2011/q2/20110419-01.aspx
http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf


Nuclear submarine documents leaked

"Doug Hosking" <doug1@sonic.net>
Mon, 18 Apr 2011 03:02:47 -0700

"SENSITIVE UK DOCUMENTS revealing how to cause a Fukushima-style reactor
meltdown on a nuclear submarine have been posted on the Internet."

"Instead of omitting the sensitive text, the geniuses at the Ministry of
Defence simply turned the background behind the letters black. They appeared
unreadable, but the words only needed to be copied and pasted into a new
document to view them in full."

(How many times must we repeat the same mistakes?)

http://www.theinquirer.net/inquirer/news/2044198/nuclear-submarine-documents-leaked

  [Once again to the FORE (or AFT, in this case).  PGN]


Skype for Android User Data Leak

Gene Wirchenko <genew@ocis.net>
Tue, 19 Apr 2011 15:44:27 -0700

Gregg Keizer, Skype for Android leaks user data; Users should remove the app
from their Android smartphones until Skype fixes it, says security
researcher, *Computerworld*, 18 Apr 2011
http://www.infoworld.com/d/mobile-technology/skype-android-leaks-user-data-186

A flaw in Skype for Android could let criminals harvest private information
from smartphones, including the user's name and e-mail address, contacts, and
chat logs, the Internet calling software maker confirmed Friday.  One
security researcher called it "sloppy coding" and a "disrespect for your
privacy."

Last week, Justin Case, a regular contributor to the Android Police blog,
disclosed that Skype on Android does not block access to a number of
sensitive data files stored on the handset.  The files contain a wealth of
information about the Skype account and the smartphone's owner, ranging from
full name and date of birth to alternate phone numbers and account
balance. Also accessible, said Case, are instant chat logs and all Skype
contacts.  "Skype mistakenly left these files with improper permissions,
allowing anyone or any app to read them," said Case. "Not only are they
accessible, but [they're] completely unencrypted."  Case created an Android
application that demonstrated retrieving the unsecured data, and warned that
hackers could do the same.


Massive Russian hacker attack threatens freewheeling Ru.net

Lauren Weinstein <lauren@vortex.com>
Sat, 9 Apr 2011 09:28:42 -0700

  [Network Neutrality Squad]
  http://j.mp/g5fxp9  (CSM)

  "Moscow Russia's biggest social network and its top opposition newspaper
   have been knocked out by massive hacker attacks over the past week,
   leading some nervous bloggers to suggest that security services may be
   testing techniques for shutting down the country's freewheeling Internet
   in the event of a crisis.  The list of victims crying foul after the wave
   of direct denial of service (DDoS) attacks started hitting Russia's
   LiveJournal site, which has 4.7 million users, include President Dmitry
   Medvedev. Mr. Medvedev demanded a police inquiry Thursday after his blog
   on the site was shut down in the online strike." [Source: Fred Weir,
   *Christian Science Monitor*, 8 Apr 2011]
   http://www.csmonitor.com/World/Europe/2011/0408/Massive-Russian-hacker-attack-threatens-freewheeling-Ru.net

Without any additional info, I'll simply point out that while it's certainly
*possible* this was some sort of state-sponsored "test" attack, it's also
quite possible that it was completely unrelated hacking.  Contrary to what
the article implies, it does *not* necessarily require vast financial
resources to conduct such an attack, and there are certainly folks out there
with the capability of such botnet-based actions who might do so just for
"fun" or bragging rights.

So without specific evidence, blaming the government, as attractive as that
may be given their recent crackdowns, may still be premature.

Network Neutrality Squad: http://www.nnsquad.org http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
PRIVACY Forum: http://www.vortex.com  +1 (818) 225-2800 / Skype: vortex.com


France outlaws secure hashed passwords—massive security FAIL

Lauren Weinstein <lauren@vortex.com>
Fri, 8 Apr 2011 21:48:14 -0700

  [From Network Neutrality Squad]

  "If service providers are required to store your password(s) for 12
  months, this will make data loss events even more tragic.  For the
  providers to surrender your password to the police or other government
  authorities, they must either store your password in plain text, or in
  some reversible hashing algorithm.  The recent SQL injection attack
  against MySQL/Sun/Oracle disclosed some database passwords that were
  stored using one-way hashing. Some of these were still able to be
  brute-force attacked and their plain text determined, but it took some
  effort. Imagine what could have happened. . .  If all businesses doing
  transactions in France must record your password for every login this will
  surely lead to the passwords being stored on Internet-facing computers,
  ripe for the picking by cybercriminals."
  http://j.mp/f2pk1D  (Sophos)

A requirement for storing plaintext passwords, or passwords "encrypted" in
such a way that the original password can be recovered, seems like a law
written by criminals for criminals.  The potential for disaster, keeping in
mind how often many people tend to use the same password for multiple
services, is immense.

This is another example of the strange duplicity within the EU (well, here
in the U.S. as well) when it comes to privacy.  On one hand, we have
governments slamming Google for useful Street View and harmless accidental
capture of data from open Wi-Fi networks, but at the same time implementing
draconian data retention requirements that carry genuine risks for serious
damage to their citizens.

Network Neutrality Squad: http://www.nnsquad.org http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
PRIVACY Forum: http://www.vortex.com  +1 (818) 225-2800 / Skype: vortex.com


Apple AirPlay Private Key Exposed, Opening Door to AirPort

Dewayne Hendricks <dewayne@warpspeed.com>
April 11, 2011 7:34:46 AM EDT
  Express Emulators

  [From Dave Farber's IP]

Apple AirPlay Private Key Exposed, Opening Door to AirPort Express Emulators
Monday April 11, 2011 02:39 AM EST
Written by Arnold Kim
<http://www.macrumors.com/2011/04/11/apple-airplay-private-key-exposed-opening-door-to-airport-express-emulators/>

Developer James Laird has reverse engineered the Airport Express private key
and published an open source AirPort Express emulator called Shareport.
This program emulates an Airport Express for the purpose of streaming music
from iTunes and compatible iPods. It implements a server for the Apple RAOP
protocol.

Previously, the private key was unknown, which meant that only Apple's
Airport Express or official 3rd party solutions could wirelessly stream
music from iTunes or equivalent. Many existing solutions such as Rogue
Amoeba's Airfoil have long been able to stream music to AirPort Express or
other AirPlay devices, but not the other way around. A Hacker News commenter
illumin8 spells it out:

Previously you could do this:
iTunes—stream to --> Apple Airport Express 3rd party software—stream
to --> Apple Airport Express

Now you can do this:

iTunes—stream to --> 3rd party software/hardwareNow, it seems unlikely
that any hardware manufacturers will use the unauthorized information to
create AirPlay-compatible hardware products, especially when there it is
possible to be an officially licensed AirPlay partner. However, this does
open the door to software solutions. iTunes music , for example, could be
streamed to other Macs, non-Macs, customized consoles (Xbox 360), or mobile
devices with the right software. The developer originally posted the key to
the VideoLan developer mailing list in case there was interest in adding
that feature to a future version of VLC.


More on the Epsilon fiasco (RISKS-26.41)

Gene Wirchenko <genew@ocis.net>
Tue, 12 Apr 2011 10:03:16 -0700

Robert X. Cringely, Epsilon, spammers in expensive suits; Thanks to Epsilon
Data Management, hackers have millions more e-mail addresses to target. Get
ready for the spam and scam.  *InfoWorld*, 06 Apr 2011
http://www.infoworld.com/t/cringely/epsilon-spammers-in-expensive-suits-091

selected text:

I have to admit I had been feeling a bit left out. Everyone I knew was
getting e-mails and letters from companies they do business with warning
them about the Epsilon Data Management e-mail breach and what might happen
to them.  So it was quite a relief when I opened up an e-mail from Marriott
yesterday and read the following: [snipped]

According to the company [Epsilon], hackers stole the e-mail addresses for
less than 2 percent of its clients, but if Epsilon happens to know which 2
percent, the company hasn't been talking about it.  Epsilon posted an
extremely terse, detail-challenged press release announcing the breach on
April 1 (talk about your April Fools) and hasn't said much since.

Epsilon's client roster reads like a who's who of corporate America:
JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly,
U.S. Bank, Citi, Ritz-Carlton Rewards, Brookstone, Walgreens, the College
Board, the Home Shopping Network, Target, TiVo, and at least a dozen more.

How did Epsilon get its grubby fingers on my e-mail address in the first
place? Fortune 500 firms desperately want to keep an electronic leash on
their customers, but they don't have a clue how to do it.  Instead, they
outsource the job to companies like Epsilon, sharing their massive customer
databases with these marketers, who are contractually obligated to keep that
data secure. (Apparently Epsilon didn't read the fine print.)

In most cases, all the hackers got was a name and an e-mail address.  What
bad things could happen? Aside from the fact this data is going to get sold
and resold a thousand times to various spammers, the smart money says it
will also likely be used for spearphishing campaigns aimed at select
customers. My bet is that Epsilon's banking clients will the first to be
phished, since that's the fastest route to money.


Epsilon reactions by Chase and Capital One

Andrew Klossner <andrew@cesa.opbu.xerox.com>
Mon, 11 Apr 2011 15:58:07 -0700

RISKS-26.41 quotes Stephen Smoliar lauding Kroger's e-mail to its customers
about the Epsilon data breach while decrying the lack of such e-mail from
Chase and Capital One.

I'm not a fan of the big New York banks, but in fairness I must report that
I have credit cards with, and received warning e-mails from, both of these
companies.


EFF: 'HTTPS Now' Campaign Urges Users to Take an Active Role

EFF Press <press@eff.org>
April 20, 2011 11:15:14 AM EDT
  in Protecting Internet Security

Electronic Frontier Foundation Media Release
Eva Galperin, Activist,  Electronic Frontier Foundation, eva@eff.org
+1 415 436-9333 x111

'HTTPS Now' Campaign Urges Users to Take an Active Role in
Protecting Internet Security

Wide Deployment of Encryption Protocol Provides Basic Security for Web Surfing

San Francisco - The Electronic Frontier Foundation (EFF) and Access have
launched an international campaign for HTTPS Now, rallying consumers around
the world to help us make web surfing safer.

"We've heard a lot about how malicious tools like Firesheep can be used to
steal data, including passwords for e-mail and social networking accounts,"
said EFF Activist Eva Galperin.  "HTTPS Now is aimed at protecting users
from attacks like these by spreading the word about HTTPS and how to use it
correctly.  HTTPS provides the minimum level of security for websites.
Without it, no site can make any meaningful security or privacy guarantees
to its users."

HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by
encrypting requests from a user's browser and the resulting pages that are
displayed, but many websites default to using the unencrypted and vulnerable
HTTP protocol.  The HTTPS Now campaign takes a three-pronged approach to
protecting web surfing, including distributing updated tools for people to
use to protect their web browsing, taking an Internet-wide survey of the
state of HTTPS deployment, and helping website operators implement HTTPS.

As a first step, individuals using the web are encouraged to install HTTPS
Everywhere, a security tool for the Firefox browser developed by EFF and the
Tor Project.  HTTPS Everywhere automatically encrypts a user's browsing,
changing it from HTTP to HTTPS whenever possible.

Often, however, security vulnerabilities can't be cured by changes to a
user's browser.  Many websites have not deployed HTTPS, leaving their
visitors vulnerable to malicious attacks.  For the second prong, we are
asking users to let us know whether the sites they visit use HTTPS.  We are
hoping that our crowd-sourced survey of websites will give us a relatively
accurate picture of the current state of HTTPS deployment and Internet
security.

Finally, we have created detailed resources for website operators who are
interested in learning how to deploy HTTPS and why it's important for them
to do so.

"We want to make it easier for web users to get the security they need and
deserve, but we can't do it alone.  We need an accurate picture of the state
of HTTPS on the Internet.  After that, we can target website operators and
make it easy for them to update their sites," said Jochai Ben-Avie of
Access.  "Working together, we can all be safer from identity theft,
security threats, viruses, and other things that come from an insecure
Internet."

For more on HTTPS Now:
https://www.httpsnow.org

For this release:
https://www.eff.org/press/archives/2011/04/19-0

About EFF

The Electronic Frontier Foundation is the leading civil liberties
organization working to protect rights in the digital world. Founded in
1990, EFF actively encourages and challenges industry and government to
support free expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to websites in the world
at https://www.eff.org/

Please report problems with the web pages to the maintainer

Top