The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 49

Monday 25 July 2011

Contents

Planes collide in midair, land safely
Monty Solomon
Aviation Experts Worry About Aircraft Mishaps on the Ground
Monty Solomon
Pilots to use iPads instead of manuals
Peter Houppermans
Safety on China's Railroads
Chuck Weinstock
Toyota to recall 82,200 vehicles in the US
Monty Solomon
Don't throw away Grandma's wind-up desk clock
Danny Burstein
Electronic vote stealing in Ohio's 2004 Presidential Election
PGN
Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds
PGN
A Mouse Ate Your Network?
Ted Samson via Gene Wirchenko
Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries
Andy Greenberg via Monty Solomon
Patient alleges Tufts breached privacy
Chelsea Conaboy via Monty Solomon
Beth Israel reports potential data breach
Hiawatha Bray via Monty Solomon
Most cellphone voice mail is vulnerable to hackers
Hiawatha Bray via Monty Solomon
Staples resold devices holding consumer data
Jenn Abelson via Monty Solomon
Somebody is using my e-mail address, but I can't figure out why
Jonathan Kamens
Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter
Lauren Weinstein
Book review: Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
Ben Rothke
Info on RISKS (comp.risks)

Planes collide in midair, land safely

Monty Solomon <monty@roscom.com>
Fri, 15 Jul 2011 22:12:41 -0400

http://www.usatoday.com/news/nation/2011-07-12-alaska-planes-collide_n.htm


Aviation Experts Worry About Aircraft Mishaps on the Ground

Monty Solomon <monty@roscom.com>
Fri, 15 Jul 2011 22:12:41 -0400

Aviation Experts Worry About Aircraft Mishaps on the Ground
http://abcnews.go.com/Travel/BusinessTraveler/aviation-experts-worry-airport-collision-bostons-logan-international/story?id=14083446

Delta 767 winglet sheared off in Boston collision
http://travel.usatoday.com/flights/post/2011/07/boston-jets-clip-collide-delta/177084/1


Pilots to use iPads instead of manuals

Peter Houppermans <peter@houppermans.com>
Wed, 06 Jul 2011 09:05:45 +0200

    Flaps up - check<br>
    iPad charged - check<br>

http://www.pocket-lint.com/news/40880/pilots-swapping-manuals-for-ipads">

  The Federal Aviation Administration has approved the use of iPads in the
  cockpits of commercial and charter aircrafts - in the US, at
  least. Traditionally, each plane would house a collection of bulky flight
  manuals, weighing up to 40-pounds. Now though, a pilot is allowed to store
  digital versions of the books on a tablet device.

I hope they still have to keep the tree version as a non-battery dependent
backup for redundancy.  I also hope pilots are made to look up things in the
original manuals as a regular exercise (just on the basis of observing what
has happened to the map reading skills of the average car driver as a result
of GPS use).

There are upsides in terms of better referencing and easier information
updates, but I'd be interested to see how they approached updates and
maintenance.

  [What about in-flight real-time manual updating?  PGN]


Safety on China's Railroads

Chuck Weinstock <weinstock@conjelco.com>
Sun, 24 Jul 2011 14:23:04 -0400

http://www.nytimes.com/2011/07/25/world/asia/25train.html

The article in today's paper was somewhat different with more of an emphasis
on the lack of a safety culture in China. The apparent cause was the train
being struck by lightning causing it to stop. That combined with
malfunctioning signaling caused the following train to rear end the first
one.


Toyota to recall 82,200 vehicles in the US

Monty Solomon <monty@roscom.com>
Sat, 2 Jul 2011 18:38:13 -0400

Toyota Motor Corp. said it will recall about 82,200 hybrid SUVs in the
U.S. due to computer boards with possible faulty wiring.  The car giant said
the recall will involve Highlander and Lexus brand hybrid SUVs from its 2006
and 2007 lines. The action covers just the vehicles sold in the U.S., with
no other models affected. ...  *The Boston Globe*, June 29, 2011

http://www.boston.com/cars/news/articles/2011/06/29/toyota_to_recall_82200_vehicles_in_the_us/


Don't throw away Grandma's wind-up desk clock

Danny Burstein <dannyb@panix.com>
Sat, 25 Jun 2011 15:03:11 -0400 (EDT)

Power-grid experiment could confuse electric clocks [AP story via msnbc]
Traffic lights, security systems and computers may be affected by frequency
change as well.

A yearlong experiment with America's electric grid could mess up traffic
lights, security systems and some computers - and make plug-in clocks and
appliances like programmable coffeemakers run up to 20 minutes fast.
"A lot of people are going to have things break and they're not going to know
why," said Demetrios Matsakis, head of the time service department at the U.S.
Naval Observatory, one of two official timekeeping agencies in the federal
government.

Since 1930, electric clocks have kept time based on the rate of the
electrical current that powers them. If the current slips off its usual
rate, clocks run a little fast or slow. Power companies now take steps to
correct it and keep the frequency of the current - and the time - as precise
as possible.

The group that oversees the U.S. power grid is proposing an experiment that
would allow more frequency variation than it does now without corrections,
according to a company presentation obtained by The Associated Press.  ...
The North American Electric Reliability Corp. runs the nation's interlocking
web of transmission lines and power plants. A June 14 company presentation
spelled out the potential effects of the change: East Coast clocks may run
as much as 20 minutes fast over a year, but West Coast clocks are only
likely to be off by 8 minutes. In Texas, it's only an expected speedup of 2
minutes.
http://today.msnbc.msn.com/id/43532031/ns/technology_and_science-innovation/


Electronic vote stealing in Ohio's 2004 Presidential Election

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 22 Jul 2011 4:49:07 PDT

Freepress.org: New court filing reveals how the 2004 Ohio presidential
election was hacked

http://www.freepress.org/departments/display/19/2011/4239
See also
http://www.benzinga.com/news/11/07/1789905/forget-anonymous-evidence-suggests-gop-hacked-stole-2004-election#ixzz1Ssy99Dmv


Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Jun 2011 17:33:34 PDT

Bruce Schneier, CRYPTOGRAM:
I haven't written about Dropbox's security problems; too busy with the
book.  But here's an excellent summary article from The Economist.
http://www.economist.com/blogs/babbage/2011/05/internet_security
The meta-issue is pretty simple.  If you expect a cloud provider to do
anything more interesting than simply store your files for you and give
them back to you at a later date, they are going to have to have access
to the plaintext.  For most people—Gmail users, Google Docs users,
Flickr users, and so on—that's fine.  For some people, it isn't.
Those people should probably encrypt their files themselves before
sending them into the cloud.
Another security issue with Dropbox:
http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/


A Mouse Ate Your Network?

Gene Wirchenko <genew@ocis.net>
Tue, 05 Jul 2011 09:52:57 -0700

http://www.infoworld.com/t/insider-threats/security-company-infects-clients-network-trojan-mouse-576

Ted Samson, InfoWorld Tech Watch, June 28, 2011
Security company infects client's network with 'Trojan mouse'
By loading a USB mouse with malware and exploiting end-user blabbing,
NetraGard succeeds in infecting a client's network

Security consulting company NetraGard has demonstrated that something as
seemingly innocuous as a USB mouse, along with tidbits of information freely
available on the Internet, can provide a hacker quick and easy access to a
seemingly secure IT environment. ...


Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries

Monty Solomon <monty@roscom.com>
Sun, 24 Jul 2011 01:01:13 -0400

Andy Greenberg, Apple Laptops Vulnerable To Hack That Kills Or Corrupts
Batteries, *Forbes*, 22 Jul 2011

A pile of dead Apple laptop batteries, victims of Charlie Miller's research.
Your laptop's battery is smarter than it looks. And if a hacker like
security researcher Charlie Miller gets his digital hands on it, it could
become more evil than it appears, too.

At the Black Hat security conference in August, Miller plans to expose and
provide a fix for a new breed of attack on Apple laptops that takes
advantage of a little-studied weak point in their security: the chips that
control their batteries. ...

http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/

  [Gene Wirchenko noted an item by Christina DesMarais:
    http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=63437


Patient alleges Tufts breached privacy

Monty Solomon <monty@roscom.com>
Fri, 15 Jul 2011 22:41:31 -0400

Patient alleges Tufts breached privacy
Sues after medical history was faxed to job

Chelsea Conaboy, *The Boston Globe*, 15 Jul 2011

A patient has sued Tufts Medical Center and a primary care doctor
there, alleging that documents including her medical history were
sent to a fax machine at her workplace without her consent.

Kimberly White of Middleborough, 44, said in an interview that at
least two co-workers read the records, causing her embarrassment. She
filed a complaint in Plymouth County Superior Court alleging that her
privacy rights were violated and seeking punitive damages. The
hospital has denied wrongdoing.

While recovering from a hysterectomy in December, White asked Dr.
Kimberly Schelling to fax a required form related to a disability
claim to White's employer. Instead, according to the court filing,
four pages of White's medical records were sent to a shared fax
machine in the office. ...

http://www.boston.com/news/local/massachusetts/articles/2011/07/15/lawsuit_alleges_tufts_faxed_patient_records_to_workplace_without_permission/


Beth Israel reports potential data breach

Monty Solomon <monty@roscom.com>
Mon, 18 Jul 2011 22:54:04 -0400

Beth Israel reports potential data breach

Hiawatha Bray, *The Boston Globe*, 18 Jul 2011

Beth Israel Deaconess Medical Center is notifying more than 2,000 of
its patients that some of their personal information may have been
stolen from a hospital computer.

The hospital said today that an unnamed computer service vendor had
failed to restore proper security settings on the computer after
performing maintenance on it. The machine was later found to be
infected with a computer virus, which transmitted data files to an
unknown location.

The computer contained medical record numbers, names, genders, and
birth dates of 2,021 patients, as well as the names and dates of
radiology procedures they'd undergone. But the computer didn't
contain the patients' financial data or their Social Security
numbers, which can be used to steal identities and defraud banks. ...

http://www.boston.com/Boston/businessupdates/2011/07/beth-israel-reports-potential-data-breach/sLnihf9HOmBQDGc6GFCVTI/index.html


Most cellphone voice mail is vulnerable to hackers

Monty Solomon <monty@roscom.com>
Wed, 13 Jul 2011 08:34:15 -0400

Hiawatha Bray, *The Boston Globe*, 13 Jul 2011
http://www.boston.com/business/technology/articles/2011/07/13/most_cellphone_voice_mail_is_vulnerable/

Breaking into someone's voice mailbox - in the style of the hackers at the
British tabloid News of the World - can be as easy in the United States as
it is on the other side of the Atlantic.  It is done using a readily
available online service known as "caller ID spoofing,'' which can make a
call appear to be coming from any phone number. Hackers can use it to access
someone else's voice mail messages by fooling the system into thinking the
call is coming from the owner's cellphone.  If the mailbox is not protected
by a password, as is often the case, the attacker can hear and even delete
messages in the target's voice mailbox.

There are numerous spoofing services in the United States; all you need to
do is Google them. Although these services are used by hackers to commit
crimes, they're also used legitimately by, for example, battered women who
do not want their calls traced, or law enforcement agents operating
undercover. ...


Staples resold devices holding consumer data

Monty Solomon <monty@roscom.com>
Sat, 2 Jul 2011 16:52:55 -0400

Jenn Abelson, Canada audit rips Mass.-based chain, *The Boston Globe*,
22 Jun 2011
http://www.boston.com/business/articles/2011/06/22/staples_resold_devices_holding_consumer_data/

Staples Inc. has repeatedly put consumers' data at risk in Canada by failing
to wipe clean returned storage devices that contain sensitive information
and are then resold.  Those findings were reported yesterday following an
audit by the Office of the Privacy Commissioner of Canada. The audit
included tests of storage devices, including computers, USB hard drives, and
memory cards that had undergone a `wipe and restore' process and were
destined for resale.  Of the 149 devices tested, 54 contained customer data,
including "highly sensitive personal information'' such as health card and
passport numbers, academic transcripts, banking information, and tax
records.

“Our findings are particularly disappointing given we had already
investigated two complaints against Staples involving returned data
storage devices and the company had committed to taking corrective
action,'' Canada's privacy commissioner, Jennifer Stoddart, said in a
statement.  “While Staples did improve procedures and control
mechanisms after our investigations, the audit showed those
procedures and controls were not consistently applied, nor were they
always effective - leaving customers' personal information at serious
risk.'' ...


Somebody is using my e-mail address, but I can't figure out why

Jonathan Kamens <jik@kamens.us>
Thu, 23 Jun 2011 12:40:18 -0400

A few days ago, I got e-mail from the Starwood hotel chain, thanking me=20
for contacting them. Except I hadn't. I figured it was just a spammer=20
using my e-mail address, so I ignored it.

I got e-mail from Starwood asking me to clarify my service request=20
because it made no sense. They included the original request in their=20
e-mail, so I was able to see the text (which was, indeed, nonsense) as=20
well as the full name of whoever contacted them using my e-mail address.=20
I wrote back to them and told them to ignore it.

Today, however, things got crazy. I got an e-mail address from Google=20
congratulating me on the creation of my new Gmail account. Except I=20
hadn't created a new account; someone else had, and specified my e-mail=20
address as the password recovery address.

Thinking fast, I took advantage of that fact to take over the account=20
(the spammers and phishers aren't the only people who can play that=20
game!), so that whatever this individual was planning on doing with it,=20
they won't be able to. After doing so, I was able to confirm that the=20
full name they gave to Google when creating the Gmail account matches=20
the name they gave to Starwood, so it seems likely that either the same=20
person or two people working together did both things.

The thing is, I can't figure out what this person or persons hope to=20
gain with what they are doing, and that concerns me. I can't imagine=20
they'd be doing it if there weren't something to gain, and I can't help=20
but worry that if it helps them, it'll hurt me.

... more details about this on my blog at http://blog.kamens.us/?p=2258. If
anybody has any ideas about what's going on here, I'd sure love to hear them
(sent to me or RISKS via email or posted as comments on my blog).


Empowering Evil Through Search and Surveillance: Why Corporate

Lauren Weinstein <lauren@vortex.com>
Tue, 5 Jul 2011 14:23:34 -0700
  Ethics Matter

Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter
                http://lauren.vortex.com/archive/000877.html

Here in the U.S., we've just celebrated our Fourth of July holiday --
Independence Day.  It's actually rather complex in nature, a celebration not
only of revolution and independence, but also of our foundational documents,
the Constitution and the first ten amendments to the Constitution, the Bill
of Rights.

These are remarkable written works from many standpoints.  We have not
always been true to their ideals.  But the men who wrote them were able to
create proclamations that have remained relevant for almost two and half
centuries, through our evolution from agrarian society to a technological
nation beyond the wildest imaginations of virtually anyone living at the
time (except, perhaps, my personal hero, Benjamin Franklin!)

The Bill of Rights and Constitution together suggest an ethical path for
this country, but no documents, no laws, can successfully legislate ethics
or morality.  We can ban government interference in free speech, as does the
First Amendment, but we cannot assure that freedoms will be wisely used.
This is in the nature of laws, men, and women throughout history.

Still, it's difficult not to feel disappointed when our ideals are subverted
for commercial gain, and during this past holiday two examples of this were
thrust into the media.

As I criticized yesterday, Microsoft has now formally partnered with Chinese
search giant Baidu to provide Chinese government-censored English language
search results in China ( http://j.mp/kYyGO2 [Lauren's Blog] ).

And now comes word that Cisco will be providing the networking gear for a
massive Chinese surveillance system, that will almost certainly be used
primarily to target political dissent.  Perhaps most alarming in this case
is the reaction of Cisco to questions about the ethics of the contract.
"It's not my job to really understand what they're going to use it for," was
the reaction of Cisco's executive VP in charge of their China strategy.

I know I'm not the only observer invoking the lyrics of the great satirist
Tom Lehrer regarding Wernher von Braun in this context: "'Once the rockets
are up, who cares where they come down?  That's not my department', says
Wernher von Braun."  Nor am I the only one who remembers the dark history of
IBM's involvement with Nazi Germany in the name of technology sales bottom
lines ( http://j.mp/j3JX7O [CNET] ).

A common meme is that corporations are amoral, unconcerned with ethics,
uninterested in anything but maximizing profits.  This is sadly often true,
but certainly is not always the case.

Yes, questions of ethics and business are complex, and different situations
may be easily confused.

For example, if a company chooses to do business in a particular country,
they must obey that country's laws.  They can challenge what they don't feel
is appropriate, but ultimately if they don't obey the laws they will very
likely be subjected to sanctions of some sort, civil and/or even criminal in
nature.  And they may be denied access to those countries entirely.

Yet companies can also choose not to extend their products and services into
countries where laws and government actions are obviously in conflict with
our own ethical considerations.  Firms can choose ethics over profits, if
they care enough about the former, not just the latter.

And so we saw Google's decision to stop censoring its search results in
China—censorship demanded by the Chinese government—after a period of
compliance during which Google hoped Chinese sensibilities about access to
knowledge—and freedom of speech—would improve, a test that China
unfortunately failed.

Google initially and understandably gave China the benefit of the doubt.
Yet China—and I'm speaking of the Chinese government, not the people
themselves—then chose to be even more belligerent on these issues, not
less.  Google rightly made the decision that in light of these developments,
participation in China's censorship regime was not good for the Chinese
people or for Google, and ceased participation.  Google made the ethically
correct choice, one that should be roundly congratulated.

In light of this, it's difficult to accept Microsoft's new move to not only
provide censored search services in China, but to go one giant step farther
and actually partner with the Chinese search giant Baidu within the Chinese
censorship regime.  By this action, Microsoft allies itself directly with
the Chinese government's information oppression, and becomes not just a bit
player in that regime, but a full-fledged comrade in censorship.

Microsoft can't claim ignorance of China's modus operandi in these regards.
Not only the Google experience dealing with China and search, but other
recent Chinese activities, have provided concrete examples.  So without a
doubt, money has won out over ethics for Microsoft when it comes to China.
No excuses, no mitigating circumstances.

And similarly for Cisco.  Like IBM and their dealings with German National
Socialism in the WWII era, Cisco appears to be purposely, directly, and
explicitly "averting its eyes" from knowledge of how its technologies will
certainly be abused.

It can indeed be argued that our actions as a nation have not always been in
keeping with the ideals and hopes of our Founding Fathers.  Our government
and businesses—and we the people—are not perfect.  Nobody is.

But the fulfillment of our ideals is ultimately a tapestry of individual
actions at all levels, and past mistakes do not justify present or future
unethical behaviors.

This applies not only to each of us, but also to our governments, to
Microsoft, to Cisco, and to every other corporation and organization.

While Microsoft's and Cisco's couplings with China may reap benefits for
their shareholders, these specific dealings are still a fundamental betrayal
of ethics, and of our fundamental values—especially given what we know
today about Chinese government behaviors and reactions in these realms at
this time.

The Chinese people are not our enemies.  And in the long run, a closer
relationship between China and the U.S. would be of immense value to both
countries.  But an ethical path to that goal cannot be reasonably paved with
direct U.S. entanglements with the most oppressive aspects of China's
government today.  An unethical path merely serves to help perpetuate those
very abuses that most slow any progress toward our best and finest
aspirations.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren [PGN-ed]
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org
PRIVACY Forum: http://www.vortex.com  +1 (818) 225-2800 / Skype: vortex.com


Book review: Surveillance or Security?: The Risks Posed by New

Ben Rothke <brothke@gmail.com>
Thu, 14 Jul 2011 08:31:10 -0400
 Wiretapping Technologies

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
is a hard book to categorize.  It is not about security, but it deals
extensively with it.  It is not a law book, but legal topics are pervasive
throughout the book.  It is not a telecommunications book, but extensively
details telco issues.  Ultimately, the book is a most important overview of
security and privacy and the nature of surveillance in current times.

My full review of this excellent book is at:
https://365.rsaconference.com/blogs/securityreading/2011/07/08/surveillance-or-security-the-risks-posed-by-new-wiretapping-technologies

http://www.amazon.com/gp/product/0262015307/ref=as_li_ss_tl?ie=UTF8&tag=benrothkswebp-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=0262015307

Please report problems with the web pages to the maintainer

Top