The RISKS Digest
Volume 26 Issue 64

Saturday, 26th November 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


CalPERS computer misfire sparks benefit cancellations
Randall Neff
Robot prison wardens - with guns?
Peter Houppermans
"Facebook bans at work linked to increased security breaches"
Nestor E. Arellano via Gene Wirchenko
"Hired posters degrading Web's information credibility"
John P. Mello Jr. via Gene Wirchenko
Thailand wants Facebook links blocked, warns that pressing "Like" can lead to prosecution
Lauren Weinstein
If You Can't Trust Caller ID ...
Matt Richtel
LaTeX as an example of software engineering best practices?
Mark Thorson
Re: Update: U.S. water plants reportedly hit by cyber attacks
Alexander Klimov
Ruined water pump apparently wasn't attacked by hackers after all
Lauren Weinstein
Apple iTunes flaw 'allowed government spying for 3 years'
Lauren Weinstein
More on Duqu/stuxnet link?
Missing the point of the Internet
Bob Frankston
REVIEW: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems
Richard Austin
Info on RISKS (comp.risks)

CalPERS computer misfire sparks benefit cancellations

Randall Neff <>
Sat, 26 Nov 2011 08:42:33 -0800

Sacramento, Calif.  A glitch with CalPERS' (California Pension System) new
half-billion-dollar computer system has delayed death benefit checks to
widowed spouses and incorrectly triggered letters notifying some members
that their health insurance has been canceled.

Robot prison wardens - with guns?

Peter Houppermans <>
Sat, 26 Nov 2011 17:13:05 +0100

Robot wardens are about to join the ranks of South Korea's prison service.

  A jail in the eastern city of Pohang plans to run a month-long trial with
  three of the automatons in March.  The machines will monitor inmates for
  abnormal behaviour.  Researchers say they will help reduce the workload
  for other guards.  South Korea aims to be a world leaders in
  robotics. Business leaders believe the field has the potential to become a
  major export industry.

It actually gets even better:

  "The South Korean defence company DoDAAM is also developing robotic gun
  turrets for export which can be programmed to open fire automatically."

Oh yeah, you want those turrets on that robot in a prison.  New, untried OS,
vendor under competitive pressure, gun with real bullets and a high
likelihood of this thing having some form of remote management.  What could
possible go wrong?

PS: good luck recruiting service engineers...

"Facebook bans at work linked to increased security breaches"

Gene Wirchenko <>
Thu, 24 Nov 2011 10:23:49 -0800
  (Nestor E. Arellano)

I have submitted news of a number of Facebook security breaches.  Now, it
appears that they (whoever that is) have you coming and going.  The title
says it:

  Facebook bans at work linked to increased security breaches

  Companies that ban employees from using social media are 30 per cent more
  likely to suffer computer security breaches than firms that are more
  lenient on the issue of workers tweeting and checking Facebook posts in
  the office, according to recent survey.
  Nestor E. Arellano, *IT Business*, 24 Nov 2011

"Hired posters degrading Web's information credibility"

Gene Wirchenko <>
Fri, 25 Nov 2011 10:53:41 -0800
  (John P. Mello Jr.)
Hired posters degrading Web's information credibility
A new study says paid posters are poisoning the Internet with their
untrustworthy content.

 John P. Mello Jr., *IT Business*, 24 Nov 2011

Thailand wants Facebook links blocked, warns that pressing "Like"

Lauren Weinstein <>
Thu, 24 Nov 2011 12:35:16 -0800
  can lead to prosecution (NNSquad)  (TheNextWeb)

  The government of Thailand has contacted Facebook to request the
  removal of more than 10,000 of its pages that are deemed in breach of
  laws preventing the defamation of the country's royal family.

 - - -  (Bangkok Post)

  Local Facebook users risk violating the computer law unknowingly by
  pressing the "like" or "share" button included with posted comment on
  anti-monarchy messages on the most popular social networking site,
  Information and Communication Technology Minister Anudith Nakornthap said
  on Thursday.  Anyone doing so could be arrested on charges of violating
  the Computer Crime Act and committing lese majeste because the law
  prohibits the dissemination of content deemed insulting to the monarchy,
  he said.  Facebook users should not press the “like'' button or post
  comments on lese majeste-related content.

 - - -

How about this for a way to prod these Neanderthals into the 21st century?
Cut them off the Net totally until these practices cease.  Be sure to read
the part about the 61-year-old man just handed a 20 year prison sentence for
sending SMS messages "insulting" to the royal family.

If You Can't Trust Caller ID ... (Matt Richtel)

"Peter G. Neumann" <>
Wed, 23 Nov 2011 14:14:47 PST

Telemarketers increasingly are disguising their real identities and
phone numbers...  Caller ID [properly, Calling Number ID] is becoming
Fake ID.  New FCC rules have been instituted to combat this practice,
but are apparently very limited in their effectiveness...  [Source: Matt
Richtel, *The New York Times* front page, 23 Nov 2011; PGN-ed]

LaTeX as an example of software engineering best practices

Mark Thorson <>
Fri, 25 Nov 2011 10:48:44 -0800

You might think that a program written by Donald Knuth and Leslie Lamport
would be an ideal example of good programming, rather than the kind of
encrusted monstrosity we expect from Microsoft.  But perhaps it's the way of
all things to end up like that, no matter who wrote it.

Re: LaTeX as an example of software engineering best practices

Peter Neumann <>
Fri, 25 Nov 2011 19:32:56 PST

Mark, TEX is complicated.  Don Knuth once told me he never used it, and just
handed raw text (on paper?) to his secretaries to be TEXed.

LaTeX was created by Les Lamport initially primarily for his own use
(reminds you a little of Unix?).  He gave it away for free, but his son's
college education was funded from the book sales.  But LaTeX significantly
simplified many of the more challenging corners of TEX, and yet it deals
with huge numbers of fonts, IEEE and ACM styles for formatting and
bibliographies and whatever, automated indexing, and miraculously it usually
works once you have figured out how to use it, with copious additional
advice existing on the Web.  But it is nontrivial to get it working

Complex system are intrinsically complex.  That's not a surprise.  One
question is whether the human interface can be usable.  Another question is
whether it is sufficiently well software engineered and modularly
encapsulated to be easily extendable by others.  For those reasons, I am
still addicted to LaTeX and emacs.  But I don't think I would want to use
them for creating large documents on an iPad.

Re: Update: U.S. water plants reportedly hit by cyber attacks

Alexander Klimov <>
Thu, 24 Nov 2011 19:39:01 +0200
  (Lemos, R 26 62)


  The Department of Homeland Security and the FBI on Wednesday shot
  down reports that a cyber attack recently took down a pump at an
  Illinois public water utility.

  "After detailed analysis, DHS and the FBI have found no evidence of
  a cyber intrusion into the SCADA system of the Curran-Gardner Public
  Water District in Springfield, Illinois," a DHS spokesman said in a

  [...] DHS, however, said the reports seen by Weiss "were based on
  raw, unconfirmed data and subsequently leaked to the media." After
  evaluating the situation, officials found "no evidence ... that any
  credentials were stolen, or that the vendor was involved in any
  malicious activity that led to a pump failure at the water plant."

  "In addition, DHS and FBI have concluded that there was no malicious
  traffic from Russia or any foreign entities, as previously
  reported," DHS continued. "Analysis of the incident is ongoing and
  additional relevant information will be released as it becomes

I guess most people excited by the original report will never see the

Ruined water pump apparently wasn't attacked by hackers after all

Lauren Weinstein <>
Tue, 22 Nov 2011 18:21:57 -0800
  (Re: Lemos, RISKS-26.62)  (Wired)

  "A report from an Illinois intelligence fusion center that a water utility
  was hacked cannot be substantiated, according to an announcement released
  late Tuesday by the Department of Homeland Security.  Additionally, the
  department disputes assertions in the fusion center report that an
  infrastructure-control software vendor was hacked prior to the water
  utility intrusion in order to obtain user names and passwords to break
  into the utility company and destroy a water pump."

 - - -

Some of you may recall I was skeptical of this report early on.  While
there's still confusion, I will say again that the "Quick! Blame the evil
hackers and foreign governments testing our defenses!" excuse for local
screw-ups should always be considered as a strong contender in these

Lauren Weinstein (
People For Internet Responsibility:
Network Neutrality Squad:

Apple iTunes flaw 'allowed government spying for 3 years'

Lauren Weinstein <>
Fri, 25 Nov 2011 12:23:05 -0800

  "A British company called Gamma International marketed hacking software to
  governments that exploited the vulnerability via a bogus update to iTunes,
  Apple's media player, which is installed on more than 250 million machines
  worldwide.  The hacking software, FinFisher, is used to spy on
  intelligence targets' computers. It is known to be used by British
  agencies and earlier this year records were discovered in abandoned
  offices of that showed it had been offered to Egypt's feared secret
  police."  (Telegraph)

 - - -

I have no additional info about this report yet, one way or another.

More on Duqu/stuxnet link?

"Peter G. Neumann" <>
Wed, 23 Nov 2011 10:21:14 PST

Missing the point of the Internet (Re: Shapir, RISKS-26.63)

"Bob Frankston" <>
Fri, 25 Nov 2011 14:25:36 -0500

Today's Internet is a work in progress. Indeed the current implementation
lends itself to tracking because the current implementation depends on a
central authority for names and addresses (DNS and IP) and because bits are
tracked in order to support the current telecommunications business model.

The real risk is confusing these artifacts with the larger idea of the
Internet which shows what can done without a central authority or, for now,
despite these central authorities.

As I explain in networks are not
fundamental. This means that the Internet is not easier to control once
there is a funding model that doesn't require controlling the path.

To put it another way—the reason that the Internet is easy to control is
that we have stakeholders who embrace control and not because such control
is necessary.

  -----Original Message-----
  From: Amos Shapir []
  Sent: Sunday, November 20, 2011 09:59
  Subject: [risks 26.63] Re: The Coming Fascist Internet (Weinstein,

Comparing the Internet to other rather new technologies shows that prognosis
is not good.  Take driving as a case in point: about 20 years after the
invention of the automobile, anyone could drive anything anywhere; now no
one can drive anywhere unless both vehicle and driver are licensed and
registered by some government.

The Internet is even easier to control than roads, as all infrastructure is
supplied by a few big companies, which usually comply with the government.
China seems to be the future.

REVIEW: Eric D. Knapp, Industrial Network Security: Securing

"Cipher Editor" <>
Thu, 24 Nov 2011 00:23:22 -0700
  Critical Infrastructure Networks for Smart Grid, SCADA, and Other
  Industrial Control Systems (Richard Austin)

Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 105                                       November 22, 2011
Hilarie Orman, Editor                           Sven Dietrich, Assoc. Editor
cipher-editor @    cipher-assoc-editor @

Richard Austin                                                     Yong Guan
Book Review Editor                                           Calendar Editor
cipher-bookrev @            cipher-cfp @

                    Book Review By Richard Austin
                          November 18, 2011

Industrial Network Security: Securing Critical Infrastructure Networks
for Smart Grid, SCADA, and Other Industrial Control Systems
Eric D. Knapp
Syngress 2011.
ISBN 978-1-59749-645-2, U.S. $32.90

Table of Contents:

Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or
Joel Brenner's "America the Vulnerable", a convincing case has been made
that we, as security professionals, should be concerned about the security
measures (or lack thereof) being applied to the industrial control systems
that manage power generation and distribution as well as many other critical
infrastructure components.  At the same time, many of us, like your humble
correspondent, would be forced to admit that our knowledge in this area
doesn't go much further than being able to spell out the acronym "SCADA".
Knapp recognizes this lack and provides a quite readable introduction to
industrial networks and how familiar security principles can be translated
to apply in this complex area.

The first third of the book provides an introduction to industrial networks,
their protocols and how they operate.  Peppered throughout the introduction
are sidelights on security incidents and previews of how security measures
may be applied.  Acronyms multiply quickly and readers will likely want to
maintain a cheat sheet to avoid having to flip back and forth to find their
meanings (many, but not all, are in the glossary).

The majority of the book is devoted to parsing out what "information
security" really means in the context of industrial networks.  Familiar
topics such as "vulnerability and risk management" and "situational
awareness" are placed in context and the unique considerations imposed by an
industrial control network are identified.  For example, many of us will
have had the experience of crashing a piece of network equipment when
scanning its management interface to assess its attack surface.  What is an
inconvenience in that context may have a much wider impact when the device
is controlling a real-world process.

As you might expect, compliance is a major concern and a very useful chapter
reviews the relevant standards/regulations and provides recommendations for
demonstrating compliance.  Knapp also provides a "reverse mapping" that even
identifies the relevant chapter of the book.

The closing chapter's review of why-things-often-go-wrong includes many of
the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and
serves as a final reminder that though industrial networks present many
unique features, they also have much in common with the more familiar areas
of information security.

Whether you are charged with defending an industrial network or curious
about all the "buzz" over SCADA security, Knapp's book will provide a solid
introduction to this fascinating area.  Definitely a recommended read.

  [Before beginning life as a university instructor and independent
  cybersecurity consultant, Richard Austin (
  spent 30+ years in the IT industry in positions ranging from software
  developer to security architect.  He welcomes your thoughts and comments
  at raustin2 at spsu dot edu .]

Please report problems with the web pages to the maintainer