The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 56

Weds 14 September 2011

Contents

Air France 447: Smart planes still vulnerable to human error
Don Norman
Re: United Airlines uses 11,000 iPads to take planes paperless
Geoff Kuenning
Automation in the air dulls pilot skill
AP item
Many US schools adding iPads, trimming textbooks
Stephanie Reitz via Monty Solomon
Benefits of IT on Education?
NYTimes
DigiNotar SSL Security Cert Breach
Gregg Keizer via Gene Wirchenko
Risks in Google, specifically Gmail
Paul Robinson
Microsoft posts security bulletins 4 days early, scrambles to fix mistake
Jon Brodkin via Monty Solomon
$100 Bill: The Fed Has a $110 Billion Problem with New Benjamins
Leonard Finegold
Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke
Arno Wagner
Dutch Government Websites No Longer Secure
Danny Burstein
Forged Google crypto certificate found in the wild
Lauren Weinstein
Google+ Security/Privacy Risks?
Tony Bradley via Gene Wirchenko
The Internet's Secret Back Door
Lauren Weinstein
Closed, Says Google, but Shops' Signs Say Open
David Segal via Monty Solomon
Re: Researchers crack APCO P25 public safety encryption ...
Jeremy Ardley
Re: Visa to adopt chip & pin in the US
David Alexander
Re: T-Mobile JavaScript comment stripper breaks websites
Amos Shapir
Re: Yet another incident of over-reliance on GPS navigation
Geoff Kuenning
Amos Shapir
Man unable to open car from the inside and dies of dehydration
Clive Page
Patient Data Posted Online in Major Breach of Privacy
Kevin Sack via Monty Solomon
Cash for iPhones—spam, scam, or phishing
DoN. Nichols
Info on RISKS (comp.risks)

Air France 447: Smart planes still vulnerable to human error

Don Norman <norman@nngroup.com>
Sun, 28 Aug 2011 03:12:54 -0700

> On flight 447, the handoff from computer to pilots proved fatal for the
> 228 aboard.

I really get annoyed when people quickly and without evidence claim "human
error." With regard to the Air France accident, it is far too soon to come
to a final judgment.  As for the notion that when automation fails, it just
gives up and turns control over to the pilots, well, that problem has been
discussed and studied for decades. Many knowledgeable experts in aviation
safety people have studied and written about this problem. I've written
about it in my books and journals. The aviation safety people at NASA Ames
have studied it over and over again and made many recommendations, a number
of which have been followed.

Readers of RISKS should be sophisticated enough not to jump on the "human
error" bandwagon every time it seems convenient.

  [Don, Thanks for rubbing this one in again.  In RISKS, we have repeatedly
  emphasized that blame is usually widely distributable, and that many
  so-called human errors are the result of inadequacies in requirements,
  specifications, system designs, implementation inconsistencies and bugs,
  and so on, but human beings are still always a potential weak link.  And
  yet the poor humans get fingered, because they have fewer champions such
  as you.  PLEASE keep up the good work.  Cheers!  PGN]

Don Norman, Nielsen Norman Group. KAIST (Daejeon, S. Korea), IDEO Fellow
norman@nngroup.com   www.jnd.org http://www.core77.com/blog/columns/
 Latest book: "Living with Complexity <http://www.jnd.org/books.html#608>"


Re: United Airlines uses 11,000 iPads to take planes paperless

Geoff Kuenning <geoff@cs.hmc.edu>
Tue, 30 Aug 2011 21:45:50 -0700

But of course passengers will still be prohibited from using those same
devices while the pilots have them turned on...

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Automation in the air dulls pilot skill

Lauren Weinstein <lauren4321@gmail.com>
Tue, 30 Aug 2011 02:24:34 -0700

WASHINGTON (AP)—Are airline pilots forgetting how to fly? As planes
become ever more reliant on automation to navigate crowded skies, safety
officials worry there will be more deadly accidents traced to pilots who
have lost their hands-on instincts in the air....
http://hosted.ap.org/dynamic/stories/U/US_AIRLINE_PILOTS_AUTOMATION?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT


Many US schools adding iPads, trimming textbooks (Stephanie Reitz)

Monty Solomon <monty@roscom.com>
Mon, 5 Sep 2011 02:00:28 -0400

Stephanie Reitz, Associated Press, 3 Sep 2011

HARTFORD, Conn.-For incoming freshmen at western Connecticut's suburban
Brookfield High School, hefting a backpack weighed down with textbooks is
about to give way to tapping out notes and flipping electronic pages on a
glossy iPad tablet computer.

A few hours away, every student at Burlington High School near Boston will
also start the year with new school-issued iPads, each loaded with
electronic textbooks and other online resources in place of traditional
bulky texts.

While iPads have rocketed to popularity on many college campuses since Apple
Inc. introduced the device in spring 2010, many public secondary schools
this fall will move away from textbooks in favor of the lightweight tablet
computers.

Apple officials say they know of more than 600 districts that have launched
what are called "one-to-one" programs, in which at least one classroom of
students is getting iPads for each student to use throughout the school day.

Nearly two-thirds of them have begun since July, according to Apple. ...

http://www.boston.com/news/local/massachusetts/articles/2011/09/03/many_us_schools_adding_ipads_trimming_textbooks/


Benefits of IT on Education?

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 4 Sep 2011 8:57:14 PDT

  [From D Kross]

As schools embrace digital learning, evidence is scarce that expensive
technology is improving education.
http://www.nytimes.com/2011/09/04/technology/technology-in-schools-faces-questions-on-value.html?hp


DigiNotar SSL Security Cert Breach (Gregg Keizer)

Gene Wirchenko <genew@ocis.net>
Tue, 06 Sep 2011 09:40:35 -0700

Gregg Keizer: Hackers gain ability to impersonate CIA, MI6, Mossad, 6 Sep 2011
http://www.itbusiness.ca/it/client/en/home/News.asp?id=63989

Dutch firm DigiNotar has admitted its network was hacked and SSL security
certificates were stolen. The certificates can be used for "man in the
middle" attacks.

The tally of digital certificates stolen from a Dutch company in July has
exploded to more than 500, including ones for intelligence services like the
CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.

The confirmed count of fraudulently-issued SSL (secure socket layer)
certificates now stands at 531, said Gervase Markham, a Mozilla developer
who is part of the team that has been working to modify Firefox to blocks
all sites signed with the purloined certificates.

Among the affected domains, said Markham, are those for the CIA, MI6,
Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows
Update service.

"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for
CIA.gov, I wonder if the US gov will pay attention to this mess,"
Christopher Soghoian, a Washington D.C.-based researcher noted for his work
on online privacy, said in a tweet Saturday.


Risks in Google, specifically Gmail

Paul Robinson <paul@paul-robinson.us>
Sun, 11 Sep 2011 10:02:55 -0700 (PDT)

Having heard about the problem of the guy whose account with Google was
suspended because he was suspected of storing child pornography, I'd like to
mention a problem with Google's Gmail that I discovered.

I use Yahoo for web mail.  My DNS provider for paul-robinson.us forwards all
mail addressed to any address ending in @paul-robinson.us to my mailbox on
Yahoo.  And Yahoo provides a drop-down selector on its composition option so
when I send mail, I can select whether to send it from Yahoo under
paul@paul-robinson.us or from my Yahoo account number.

It works flawlessly, whether someone sends me a message from Yahoo or from
any other domain, I get any mail they address to my domain.

The same is not true with Gmail.  There is a weird technical problem with
Gmail, if a Gmail client sends mail to a domain that redirects its mail -
like mine - and the terminating address that the redirection goes to is a
Gmail account, Gmail discards the message.  I found this out because my
sister has her own domain name, the way I do, and I have mail sent to her
domain to redirect to her account, same as I do.  She even has the same DNS
provider as I do.  The difference is, she gets her mail from Gmail, and if a
Gmail customer mails something to her domain name, she does not get the mail
in her Gmail box.


Microsoft posts security bulletins 4 days early, scrambles to fix

Monty Solomon <monty@roscom.com>
Sat, 10 Sep 2011 18:55:59 -0400
 mistake (Jon Brodkin)

Jon Brodkin, ArsTechnica

Each month, there is a clearly defined process Microsoft uses to release
security patches to fix flaws in Windows and its other products. On a
Thursday, Microsoft releases an advance notification, listing the software
affected by the upcoming patches and the type of threat fixed, such as
"elevation of privilege" or "remote code execution." But no specific details
are released until the following Tuesday, the second Tuesday of each month,
when the full security bulletins and accompanying patches are made public.

But this month, the process went awry. The vague advance notification went
out as scheduled yesterday. But today, the full security bulletins went
live, four days before their scheduled release.

We were able to view two of the five security bulletins before Microsoft
unpublished them. Given that the security bulletins were unpublished within
an hour of their release, give or take, and that they were dated "Tuesday,
September 13, 2011" during the brief time they were live, it seems pretty
clear someone at Redmond screwed up. ...

http://arstechnica.com/microsoft/news/2011/09/microsoft-posts-security-bulletins-four-days-early-scrambles-to-fix-mistake.ars


$100 Bill: The Fed Has a $110 Billion Problem with New Benjamins

Leonard Finegold <L@drexel.edu>
Tue, 6 Sep 2011 21:08:10 -0400

http://www.cnbc.com/id/40521684/

  [The total face value of the printed but totally unusable new high-tech
  $100 bills represents more than 10% of the entire supply of U.S. currency
  on the planet, according to this article.  PGN]


Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke

Arno Wagner <arno@wagner.name>
Sun, 28 Aug 2011 14:29:05 +0200

This strikes me as a strong indication that Bitcoin cannot be taken
seriously, except maybe as a elaborate and well-camouflaged Ponzi-scheme.

The last time I checked, processing credit card information on Amazon EC2
was still not allowed. Forget about any real money transactions. Not only
processing Bitcoin transactions there, but in addition doing so without
adequate backup, shows a level of unprofessionalism that is staggering. I do
not even want to know what serious security problems they had.

On the other hand, this kind of blind enthusiasm and lack of understanding
is typical for Ponzi-schemes. Sometimes even the scheme instigators seem to
suffer from it and do not see what they are doing. This may be the case
here.

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP—Email: arno@wagner.name


Dutch Government Websites No Longer Secure

danny burstein <dannyb@panix.com>
Sat, 3 Sep 2011 18:18:50 -0400 (EDT)

[Source: dutch daily news]

The Dutch government can no longer guarantee the security of its
websites. This means, for instance, that the Internet identification site
DigID is no longer reliable, which Dutch residents use for government
services.

The Dutch Interior Minister Piet Hein Donner has given a press conference in
the early hours of Saturday morning to indicate the urgency of the problem.

There is doubt about the reliability of Government sites because the Dutch
Internet security company DigiNotar appears to have been hacked on July 19,
compromising its security guarantees for "a number of domains, including
Dutch Government Websites.  ...

http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/


Forged Google crypto certificate found in the wild (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Mon, 29 Aug 2011 22:12:11 -0700

  "Security researchers have discovered a counterfeit web certificate for
  Google.com circulating on the internet that gives attackers the encryption
  keys needed to impersonate Gmail and virtually every other digitally
  signed Google property."  http://j.mp/oPlzjQ (UK Register)

A couple of notes on this. First, a widely syndicated story on this topic
was titled "Hackers acquire Google certificate ..."—which isn't exactly
true, what they acquired was strictly speaking a *forged* Google
certificate, an important distinction when certificate revocation is
considered. Secondly, as bad as this is (and regular readers know how
critical I've been of both existing PKI certificates and DNS environments),
the forged cert alone doesn't provide the ability to perform a
man-in-the-middle attack without the added factor of *access*—either
through poisoned DNS diversions, or direct tapping of traffic (e.g. by
ISPs/governments), and so on.


Google+ Security/Privacy Risks? (Tony Bradley)

Gene Wirchenko <genew@ocis.net>
Thu, 01 Sep 2011 11:21:24 -0700

http://blogs.itbusiness.ca/2011/09/privacy-concerns-with-google/
Tony Bradley, Privacy concerns with Google+  [Long item truncated for RISKS]

My issue with Google+ Games is that when I try to play a game I have to
first agree to grant the game and its developer various permissions to
access and use information from my Google+ Profile—including my Circles.
[...]


The Internet's Secret Back Door (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Thu, 1 Sep 2011 11:22:15 -0700

  "But years before the RIM battle boiled over, other Western companies
  handed the country a far greater power: the capability to infiltrate the
  secure system used by most banking, mail, and financing sites, making the
  most protected data on the Web available to the prying eyes of the
  emirates' government-connected telecommunications giant."
  http://j.mp/rrZIGC (Slate)


Closed, Says Google, but Shops' Signs Say Open (David Segal)

Monty Solomon <monty@roscom.com>
Tue, 6 Sep 2011 08:46:36 -0400

David Segal, *The New York Times*, 5 Sep 2011

In mid-August, Jason Rule learned some surprising news about the coffee shop
that he owns and operates in Hays, Kan.: the place had closed for good.

Not in the real world, where it is thriving. Coffee Rules Lounge was listed
for a few days as "permanently closed" on Google Maps. During that time,
anyone searching for a latte on a smartphone, for instance, would have
assumed the store was a goner.

"We're not far from Interstate 70," said Mr. Rule, "and I have no doubt that
a lot of people running up and down that highway just skipped us."

In recent months, plenty of perfectly healthy businesses across the country
have expired - sometimes for hours, other times for weeks - though only in
the online realm cataloged and curated by Google. The reason is that it is
surprisingly easy to report a business as closed in Google Places, the
search giant's version of the local Yellow Pages. ...

http://www.nytimes.com/2011/09/06/technology/closed-in-error-on-google-places-merchants-seek-fixes.html


Re: Researchers crack APCO P25 public safety encryption ...

Jeremy Ardley <jeremy.ardley@gmail.com>
Wed, 14 Sep 2011 19:18:08 +0800

I presently work in the Emergency Services communications sector and am
appalled at the desire to encrypt Emergency Services communications in the
same way as Police Communications are.

There is a fundamental difference between Police usage and Emergency Service
usage.

In the Police case there is a possibly understandable desire to keep
communications private. In Emergency Services case, the more information
that is disseminated the better.

Most of the disasters I have seen unfold are fundamentally hampered by lack
of effective communication. The systems just get overloaded and public
information release gets severely chocked. Having news agencies or others
monitoring emergency communications may - on the balance of probabilities -
just save a few lives. I'm thinking especially about bush fires where prior
warning may assist. The usual Emergency Services communications model
results in a big lag between operational orders and information being
released to public. Command and Control take the major part of the system's
attention. Public communications are pretty low on the rankings.

I realise that simply listening to the communications chat may cause undue
worry or even result in misjudged actions resulting in death. I argue that
having some information will - in general - give a better result than having
no information at all.

The recent Victorian bush fires are a classic example of lack of information
flow to the public. The result was hundreds of deaths.

As an aside, one of the major problems in the Victorian bush fires was lack
of a common communications network between Emergency Services and Police.
Basically the Police couldn't use their radios to talk to Emergency Services
units and vice versa. One solution proposed is to move all radio systems to
an encrypted Police standard. In contrast to this, in Western Australia,
there is a current program to deploy thousands of radios into the Western
Australian Emergency Radio Network (WAERN). These are analogue unencrypted
radios designed to allow Emergency Services communications across an area
about 2.5 times the total area of Western Europe. Quite how the encrypted
Police systems will integrate with this is an as-yet unexplained mystery.


Re: Visa to adopt chip & pin in the US

David Alexander <davidalexander440@btinternet.com>
Mon, 29 Aug 2011 22:10:45 +0100 (BST)

I have studied the technology and security mechanisms behind Chip & PIN in
depth through the specialist smart card centre at Royal Holloway College,
University of London as part of the studies for my InfoSec MSc. I won't deny
that there are means by which they can be improved, but they are a lot less
broken than the current mag stripe cards and liability system still in use
in the USA and that used to be in effect in Europe. The banks wouldn't
change the system voluntarily because of the implementation costs, so they
were forced to by legal and regulatory means - the liability was transferred
to them from the customer, which forced their hands.   Statistics show
that losses from card fraud dropped dramatically when C&P was introduced,
and criminals were forced to move a lot of their activities to other
areas. It's not perfect but it is much better. Fact.  The terminals do
need better anti-tamper protection/detection, and the additional
verification system for online purchases (e.g. "Verified by Visa") has
definite flaws, especially around the initial enrollment process. Murdoch et
al. at Cambridge have done excellent work in highlighting the issues, but a
lot of the defences can be implemented in the design of the cards and the
terminals, and these are being improved all the time. I don't know for
certain, but I expect that the US system will contain extra security
features to reduce the vulnerabilities in the system. For obvious reasons
the banks refuse to discuss the details and future plans. They still believe
in security by obscurity, even if most of us do not. As for the reports in
other publications, I'm not impressed with the standard of much of their
analysis and reporting.  As for the cost of card replacement, they are
normally replaced on a 3 year cycle anyway, so the cost of replacement with
new cards is nowhere near as high as it first appears.  The C&P cards
also allows the introduction of the Chip Authentication Program (google
Barclays 'PINSentry') handheld device that can authenticate a cardholder and
digitally sign transactions. It improves the security of online
banking. Banks in the UK now use them to verify the identity of people at
the counter by using them to get the user to prove they know the PIN for the
card presented.   In summary, I don't agree that the US banks shouldn't
do this. The EU economy now runs on the use of EMV and debit card payments
outstrip the use of cash and cheques by a very significant percentage. The
size of the EU economy is as big as the US economy and interoperability is
essential for travellers and e-commerce. I would also be interested to hear
of viable alternatives, I'm not aware of any at the moment.


Re: T-Mobile JavaScript comment stripper breaks websites (R 26 55)

Amos Shapir <amos083@hotmail.com>
Wed, 14 Sep 2011 16:05:31 +0200

Earlier versions of enscript, a pretty-printing utility on UNIX, had a bug
which caused it to mis-identify comments within strings and strings within
comments, so such constructs would be printed in the wrong font format.

The funny thing was that among the examples which were included with the
program, was a pretty-printed listing of the enscript source code itself;
the bug had caused the very code which was supposed to deal with these
constructs—which naturally contained strings like "/*"—to be formatted
badly, thus pointing clearly to where the bug was lurking!


Re: Yet another incident of over-reliance on GPS navigation

Geoff Kuenning <geoff@cs.hmc.edu>
Tue, 13 Sep 2011 17:24:39 -0700
  (Smith, RISKS-26.55)

> Police say 25-year-old Sarah Ho of Boston was driving on the Dover Road in
> South Newfane late Saturday afternoon when she came upon a road closed
> sign. She told police she drove around the sign after seeing other vehicles
> drive around the sign.

I think it's worth noting that this is only partially a GPS-trust issue.
Some years ago, my elderly mother was following written directions to my
brother's apartment when she discovered that the exit ramp she needed had
been closed for construction work.  Undeterred, she drove around the
barriers and might have caused serious harm had a cop not intervened.  (It
was shortly thereafter that we banned her from driving in Los Angeles.)

While it's true that people place too much trust in GPS navigation, it's
also true that drivers are notorious for ignoring obvious warnings.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Re: Yet another incident of over-reliance on GPS navigation

Amos Shapir <amos083@hotmail.com>
Wed, 14 Sep 2011 16:08:52 +0200
  (Smith, RISKS-26.55)

The article quotes the driver "She told police she drove around the sign
after seeing other vehicles drive around the sign."  This seems to be a case
of over-reliance on herd mentality, rather than a problem with using GPS.


Man unable to open car from the inside and dies of dehydration

Clive Page <cgp@star.le.ac.uk>
Sun, 28 Aug 2011 10:46:39 +0100

We have a Subaru Legacy with a similar locking system.  If the car is locked
using the button on the key-fob the doors cannot be opened from the inside:
this is supposedly an anti-theft feature.  In addition if you unlock the
doors using this button but fail to open at least one door within a minute,
the doors are re-locked.  These features made me worried that an electronic
fault could trap us inside.  For this reason I bought a hammer designed to
break toughened glass windows and installed it in a handy position by the
driving seat.  Perhaps all cars with anti-theft locking systems should have
one fitted as standard.  Sometimes a mechanical over-ride is good to have.


Patient Data Posted Online in Major Breach of Privacy (Kevin Sack)

Monty Solomon <monty@roscom.com>
Thu, 8 Sep 2011 18:56:31 -0400

Kevin Sack, *The New York Times*, 8 Sep 2011
http://www.nytimes.com/2011/09/09/us/09breach.html

A medical privacy breach involving Stanford Hospital in Palo Alto, Calif.,
led to the public posting of data for 20,000 emergency room patients,
including names and diagnosis codes, on a commercial Web site for nearly a
year, the hospital has confirmed.

Since discovering the breach last month, the hospital has been investigating
how a detailed spreadsheet made its way from one of its vendors, a billing
contractor identified as Multi-Specialty Collection Services, to a Web site
called Student of Fortune, which allows students to solicit paid assistance
with their schoolwork.  Gary Migdol, a spokesman for Stanford Hospital and
Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010,
as an attachment to a question about how to convert the data into a bar
graph.

Although medical security breaches are not uncommon, the Stanford breach was
notable for the length of time that the data remained publicly available
without detection. ...


Cash for iPhones—spam, scam, or phishing

"DoN. Nichols" <dnichols@d-and-d.com>
Tue, 13 Sep 2011 20:02:57 -0400

Today, in processing the spam which managed to sneak past my filters I found
one (personally addressed to me, not BCC'd) offering cash for old iPhones --
regardless of condition.

Now—my first thought (other than noting that I have never owned an
iPhone, so what makes them think that I have used ones) was "How difficult
is it to totally remove all personal information from an iPhone --
especially a non-jailbroken one."

A bit of searching seems to find similar places buying laptops and cell
phones, offering a high initial price, and then discovering all kinds of
reasons to drop their price to practically nothing.  So, it appears that
they do pay at least something for them—but as little as possible.

I, personally, would drill through any chips which might store information
rather than sell a used iPhone (if I had one) to such a place.  (Or more
likely, try to turn it into a portable device running linux or similar to
play with, but not to use for phone communication.)

But how many blindly turn over their used devices with no thought to what
information they may be releasing.

(703) 938-4564  http://www.d-and-d.com/dnichols/DoN.html

Please report problems with the web pages to the maintainer

Top