The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 70

Monday 2 January 2012

Contents

Election integrity
Bob Fitrakis/Harvey Wasserman
3 of 2011's worst data breaches involved medical records
Healthcare Tech Review
Skype Information Leakage and decoding of encrypted packets
Stephan Burschka via Lauren Weinstein
Re: Risks and aircraft control - how does voting fit into this?
John Levine
AZ Humane Society lies, kills man's cat, blocks Facebook comments

Re: Internet of things
David Magda
Re: IMDb and Amazon vs. the "Ageless Actress"
Peter Houppermans
Re: "Risks of focusing on risks"
Bob Paddock
Expiring CharlieCards causing confusion and frustration
Monty Solomon
Info on RISKS (comp.risks)

Election integrity (Bob Fitrakis/Harvey Wasserman, commondreams.org)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 31 Dec 2011 12:28:47 PST

Bob Fitrakis and Harvey Wasserman
Has America's Stolen Election Process Finally Hit Prime Time?
http://www.commondreams.org/view/2011/12/30-2

It took two stolen US Presidential elections and the prospect of another one
coming up in 2012.

For years the Democratic Party and even much of the left press has reacted
with scorn for those who've reported on it.  But the imperial fraud that has
utterly corrupted our electoral process seems finally to be dawning on a
broadening core of the American electorate---if it can still be called that.

The shift is highlighted by three major developments:

1. The NAACP goes to the United Nations

In early December, the National Association for the Advancement of Colored
People (NAACP), the largest civil rights organization in America, announced
that it was petitioning the United Nations over the orchestrated GOP attack
on black and Latino voters.

In its landmark report entitled Defending Democracy: Confronting Modern
Barriers to Voting Rights in America, the NAACP directly takes on the new
Jim Crow tactics passed in fourteen states that are designed to keep
minorities from voting in 2012.

The report analyzes 25 laws that target black, minority and poor voters
“unfairly and unnecessarily restrict[ing] the right to vote.'' It notes “a
coordinated assault on voting rights.''

The Free Press has been reporting on this coordinated assault since the 2000
election, including the heroic struggle of voters in Ohio to postpone the
enactment of the draconian House Bill 194 that was the most restrictive
voting rights law passed in the United States. (See Voting rights activists
fight back against new Republican Jim Crow attack in Ohio.)
  http://www.freepress.org/columns/display/3/2011/1894

The NAACP points out that this most recent wave of voter repression is a
reaction to the “historic participation of people of color in the 2008
presidential election and substantial minority population growth according
to the 2010 consensus.''

It should be no surprise that the states of the old Confederacy—Florida,
Georgia, Texas, and North Carolina—are in the forefront of repressing
black voters. Three other Jim Crow states with the greatest increase in
Latino population—South Carolina, Alabama, and Tennessee—also
implemented drastic measures to restrict minority voting.

The report documents that a long-standing tactic under fire since the 1860s
-- the disenfranchisement of people with felony convictions—is back in
vogue. This has been coupled with `severe restrictions' on persons
conducting voter registration drives and reducing opportunities for early
voting and the use of absentee ballots complete these template legislative
acts.

Most of these new Jim Crow tactics were initially drafted as model
legislation by the American Legislative Exchange Council (ALEC), a secretive
and conservative corporate policy group whose founder, according to the
NAACP, is on record in favor of reducing the voting population in order to
increase their own `leverage'.

The Brennan Center for Justice estimates that the 25 laws passed in these 14
states could prevent as many as 5 million voters from voting, a number
easily exceeding the margin of victory in numerous presidential elections.

Ohio's HB 194, which awaits a 2012 referendum vote, would disenfranchise an
estimated 900,000 in one of our nation's key battleground states.

An important statistic in all the legislation is that 25% of African
Americans lack a state photo identification, as do 15% of Latinos, but by
comparison, only 8% of white voters.  Other significant Democratic
constituents—the elderly of all races and college students—would be
disproportionately impacted.

Ohio voters have just repealed a draconian anti-labor law passed by the
GOP-dominated legislature and the state's far-right governor John
Kasich. Whether they will do the same to this massive disenfranchisement
remains to be seen. But the fact that it's on a state ballot marks a major
leap forward. Ohio activists are also drafting a constitutional amendment
that includes revamping the registration, voting and vote count
procedures.(Can we transform labor's Buckeye victory into a new era of
election protection?
<http://www.freepress.org/departments/display/19/2011/4386>)

2. The Justice Department awakens

On Friday, December 23, 2011, the U.S. Justice Department called South
Carolina's new voter ID law discriminatory. The finding was based in
part on the fact that minorities were almost 20% more likely than whites
to be without state-issued photo IDs required for voting. Unlike Ohio,
South Carolina remains under the 1965 Voting Rights Act and requires
federal pre-approval to any changes in voting laws that may harm
minority voters.

The Republican governor of South Carolina Nikki Haley denounced the Justice
Department decision as `outrageous' and vowed to do everything in her power
to overturn the decision and uphold the integrity of state's rights under
the 10th Amendment.

The US Supreme Court has upheld the requirement of photo ID for voting.
Undoubtedly the attempt by US Attorney General Eric Holder to challenge this
will go to the most thoroughly corporate-dominated Court in recent
memory. The depth of the commitment of the Obama Administration to the issue
also remains in doubt.

3. The EAC finally finds that voting machines are programmed to be partisan

Another federal agency revealed another type of problem in Ohio. On
December 22, 2011, the U.S. Election Assistance Commission (EAC) issued
a formal investigative report on Election Systems & Software (ED&D)
DS200 Precinct County optical scanners. The EAC found “three substantial
anomalies'':

 * Intermittent screen freezes, system lock-ups and shutdowns that prevent
   the voting system from operating in the manner in which it was designed
 * Failure to log all normal and abnormal voting system events
 * Skewing of the ballot resulting in a negative effect on system accuracy

The EAC ruled that the ballot scanners made by ES&S electronic voting
machine firm failed 10% of the time to read the votes correctly. Ohio is one
of 13 states that requires EAC certification before voting machines can be
used in elections. The Cleveland Plain Dealer reported in 2010 that the
voting machines in heavily Democratic Cuyahoga County had failed during
testing for the 2010 gubernatorial election. Cleveland uses the same
Republican-connected ES&S ballot scanners—the DS200 opti-scan
system. Ohio's Mahoning County, home of the Democratic enclave of
Youngstown, also uses the DS200s. The same opti-scan system is also used in
the key battleground states of Florida, Illinois, Indiana, New York, and
Wisconsin.

Voting rights activists fear a repeat of the well-documented vote switching
that occurred in Mahoning County in the 2004 presidential election when
county election officials admitted that 31 of their machines switched Kerry
votes to Bush.

But a flood of articles about these realities---including coverage in the
New York Times---seems to indicate the theft of our elections has finally
taken a leap into the mainstream of the American mind. Whether that leads to
concrete reforms before another presidential election is stolen remains to
be seen. But after more than a decade of ignorance and contempt, it's about
time something gets done to restore a semblance of democracy to the nation
that claims to be the world's oldest.

Bob Fitrakis [bio and various succeeding commentaries omitted.

  Some RISKS readers may consider Fitrakis's analysis politically motivated.
  From a RISKS perspective, it is merely a reevaluation of many issues that
  have appeared here in the past.  Democracy should be for Everyone, just as
  The Internet is for Everyone!  PGN]


3 of 2011's worst data breaches involved medical records

Healthcare Tech Review <weekly@healthcaretechreview.com>
Mon, 02 Jan 2012 15:07:22 -0500

Special Report: 3 of 2011's worst data breaches involved medical records
-- From Healthcare Tech Review <http://healthcaretechreview.com/>

We've reported before on how valuable health information is for criminals.
http://healthcaretechreview.com/stolen-medical-records-lucrative/ patients'
That explains why a few of the worst data breaches organizations experienced
in the past year involved the theft of electronic medical records.
http://to.healthcaretechreview.com/az?ue=QQG&pulb=1&Id=6834011986&L=HealthcareTechReview_5_A

29 Dec 2011 by Scott Gibson
<http://healthcaretechreview.com/author/snarisi/>
<http://healthcaretechreview.com/worst-data-breaches-involved-medical-records/>

Privacy Rights Clearinghouse (PRC), a nonprofit consumer protection group,
recently published its list of the six worst data breaches of 2011. Of those
that made the list, three involved health information.
<https://www.privacyrights.org/top-data-breach-list-2011>

Medical records are a big target for criminals, PRC said, because of the
amount of sensitive information they contain. Those records often contain
not just coveted Social Security numbers and dates of birth, but also data
that can be used to commit insurance fraud or buy and resell prescription
drugs.

These were the three most significant health data breaches of 2011:

* Sutter Physicians Services and Sutter Medical Foundation: A desktop
  computer containing patient data was stolen from Sutter's administrative
  offices in Sacramento, CA. The PC was password-protected, but data was not
  encrypted, and approximately 3.3 million patients whose providers use
  Sutter's services had sensitive information exposed. Sutter has been sued
  for negligence in protecting the patients' information and failing to
  notify affected patients in a timely manner.

* Health Net: Nine servers went missing from Health Net's data center in
  Rancho Cordova, CA, containing the names, addresses, Social Security
  numbers, and health and financial information of 1.9 million policy
  holders. The theft was discovered in January, but affected customers
  weren't informed until three months later.

* Tricare/SAIC: Backup data tapes containing information about patients from
  military hospitals and clinics were stolen from an employee's car. The
  data on the tapes was unencrypted and included patient medical information
  potentially spanning years from 1992 to 2011. An estimated 5.1 million
  patients may have been affected, and a $4.9 billion lawsuit has been filed
  against Tricare and SAIC.

Those breaches had some elements in common—they all involved data that
was unencrypted and were carried out by stealing physical equipment
containing data. Also, in two of the incidents, a major issue was the
failure to notify people whose information may have been stolen.

The lessons for health IT professionals:

 1. Make sure all sensitive data is kept encrypted
 2. Pay attention to physical security as well as information security
 3. Create policies and train employees to be careful when they
    transport sensitive data outside of the office, and
 4. If a breach does occur, organization must make sure law enforcement
    and affect people are notified as soon as possible—it pays to have
    a breach plan in place before an incident occurs.

  [PRC's 6 Worst Data Breaches among 535 cases noted by PRC in 2011 (not
  just healthcare) were also reported in *Information Week*: Sony, Epsilon,
  RSA, Sutter, Tricare/SAIC, and Nasdaq.  PGN]
    http://www.informationweek.com/news/security/attacks/232301079


Skype Information Leakage and decoding of encrypted packets

Lauren Weinstein <lauren@vortex.com>
Thu, 29 Dec 2011 13:18:05 -0800

Stephan Burschka, Chaos Computer Club Congress (YouTube / ~1 hour)
Datamining for Hackers - Skype Information Leakage and decoding of
encrypted packets  [via NNSquad]
http://j.mp/spIFdh
http://bit.ly/rBS7SW

  "This talk presents Traffic Mining (TM) particularly in regard to VoiP
  applications such as Skype. TM is a method to digest and understand large
  quantities of data. Voice over IP (VoIP) has experienced a tremendous
  growth over the last few years and is now widely used among the population
  and for business purposes. The security of such VoIP systems is often
  assumed, creating a false sense of privacy. Stefan will present research
  into leakage of information from Skype, a widely used and protected VoIP
  application.  Experiments have shown that isolated phonemes can be
  classified and given sentences identified. By using the dynamic time
  warping (DTW) algorithm, frequently used in speech processing, an accuracy
  of 60% can be reached. The results can be further improved by choosing
  specific training data and reach an accuracy of 83% under specific
  conditions."


Re: Risks and aircraft control - how does voting fit into this?

John Levine <johnl@iecc.com>
30 Dec 2011 05:17:05 -0000

>vote online", but also "if we can rely on software to fly our planes, why
>can't we rely on software to run our elections".

If people were trying as hard to subvert avionics software as they are to
subvert voting software, we wouldn't use software to fly our planes either.
It's a totally different environment.

It certainly doesn't help that most voting software seems to be written by
people who flunked out of junior high school programming classes, but even
if it were better written, the threat models are not even a little bit
comparable.


AZ Humane Society lies, kills man's cat, blocks Facebook comments

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 31 Dec 2011 3:30:11 PST

Rescue group in crisis mode after cat euthanized
http://j.mp/vHgXOn  (AP / TriCityHerald, Phoenix, Arizona)

"Animal lovers threatened to pull donations to an animal rescue group and
the public flooded the agency with scathing comments and calls after a man's
cat was euthanized when he couldn't afford its medical care, prompting the
Arizona Humane Society to go into damage-control mode Wednesday.The group
has hired a publicist, removed dozens of comments on its Facebook page and
directed a team of five volunteers to respond to the overwhelming calls and
emails it has received since The Arizona Republic published a weekend story
about Daniel Dockery and his 9-month-old cat, Scruffy."


Re: Internet of things

David Magda <dmagda@ee.ryerson.ca>
Fri, 30 Dec 2011 13:25:44 -0500

In RISKS-26.65 and 26.66 there were reports of HP printers being vulnerable
to being compromisable. The original researcher, Ang Cui, has now given the
technical details at this year's Chaos Communications Congress (28C3):

  Weaknesses within the firmware update process allows the attacker to make
  arbitrary modifications to the NVRAM contents of the device. The attacks
  we present exploit a functional vulnerability common to all HP printers,
  and do not depend on any specific code vulnerability. These attacks cannot
  be prevented by any authentication mechanism on the printer, and can be
  delivered over the network, either directly or through a print server
  (active attack) and as hidden payloads within documents (reflexive
  attack).

  http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html
  http://boingboing.net/2011/12/30/printer-malware-print-a-malic.html  (via)

A video of his one hour presentation is available:

  http://www.youtube.com/watch?v=njVv7J2azY8

As Boing Boing mentions, there was also a paper on attacking via PostScript, which is found in just about every medium- to high-end printer out there:

  http://events.ccc.de/congress/2011/Fahrplan/events/4871.en.html


Re: IMDb and Amazon vs. the "Ageless Actress" (Weinstein, R-26.69)

Peter Houppermans <peter@houppermans.com>
Fri, 30 Dec 2011 19:33:39 +0000

There is an interesting gap in privacy legislation between the US and EU.

This is why European (and Swiss) privacy laws demand that such permission is
given EXPLICITLY.

Having it buried in another contract in six point light grey Sanskrit
characters on a white background is not acceptable - the section that deals
with handing of personal data must be separate, needs to clearly spell out
what that data is going to be used for and may NOT be defaulted to "yes" in
the case of the use of tick boxes.


Re: "Risks of focusing on risks" (RISKS-26.68)

Bob Paddock <bob.paddock@gmail.com>
Fri, 30 Dec 2011 20:21:13 -0500

Some items from my blog:

"In the Law of Unintended Consequences, the site Insurance Institute for
Highway Safety, Highway Loss Data Institute, tells us in their September
28th, 2010 report that, Texting bans don't reduce crashes; effects are
slight crash *increases* because the Texter is trying harder to hide what
they are doing, becoming even more distracted."

http://blog.softwaresafety.net/2010/11/emergency-broadcast-alerts-coming-to.html

based on report from: http://www.iihs.org/news/rss/pr092810.html .

Now we also have  Distracted Doctors:
http://blog.softwaresafety.net/2011/12/distracted-doctoring-better-or-worse.html

and the potential for Distracted Pilots
(the paper being replaced by a device may have already been a distraction):
http://blog.softwaresafety.net/2011/12/distracted-pilots.html

As Bob Frankston points out, it is not the device that is the problem,
it is the persons behavior that is the problem.

http://blog.softwaresafety.net/ http://www.designer-iii.com/
http://www.wearablesmartsensors.com/


Expiring CharlieCards causing confusion and frustration

Monty Solomon <monty@roscom.com>
Mon, 2 Jan 2012 02:09:46 -0500
Excerpt from

Expiring CharlieCards causing confusion and frustration
http://www.bostonglobe.com/metro/2012/01/01/expiring-charliecards-causing-confusion-and-frustration/aCFuYJF2erbu5072enGKFI/story.html?s_campaign=8315

For frequent riders, the expiration proves largely invisible: Their cards
get an automatic software upgrade, and two-year extension, when swiped. But
irregular riders may find themselves suddenly unable to use their plastic
CharlieCard. ..

A few weeks ago, reader Irene Gruenfeld of Sudbury and her husband took
their 5-year-old twins on a stroll through the city with a promise of a Red
Line ride from Charles/MGH back to their car in South Boston. They had more
than $10 on each of their cards, but the station gates failed to open,
displaying an "expired'' message. The vending machines presented similarly
cryptic information. No staff was present, forcing them to buy the paper
CharlieTickets spit out by the machine, which cost 30 cents more per ride.

When the CharlieCard was introduced, five years was the industry standard
for the still-emerging smartcard technology. Manufacturers at the time
recommended a programmed "sunset date'' to stave off problems that might
arise from frequently used cards nearing the end of their useful life, he
said. As it became clear the cards could last longer, more recently issued
CharlieCards have been given sunset dates of 10 years. Most of the 6 million
issued have the longer lifespan, he said.

Please report problems with the web pages to the maintainer

Top