The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 71

Thursday 26 January 2012

Contents

Deducing causality?
Jonah Lehrer via PGN
More on total-system issues; We are all interconnected
PGN
The Wired Car
Tom Ashbrook via Monty Solomon
Risks of Instant Messaging in Indy Racing
MLCook
Passengers on British Airways warned of crash landing
Jim Reisert
Lawyer Demands Pacemaker Vendor Supply Source Code
Werner U
$44 million bill from Bronx-Lebanon Hospital
Jim Reisert
Cameras may open up the board room to hackers
PGN via Nicole Perlroth
Belarus Is Now Home to the Internet's Most Insane Law
Sam Biddle via LW
Top 1% NYT Readers are Consuming 50% of the text!
Kevin J. O'Brien via Bob Frankston
“Internet Access Is Not a Human Right''
Vint Cerf via LW
"Megaupload file seizure shows why many cautious about the cloud"
Ian Paul via Gene Wirchenko
Con-men set up face Facebook site asking for donations
Jim Reisert
Hi-tech heist takes millions from South African Postbank
Jim Reisert
Hackers post 1000s of Israeli credit card numbers
Danny Burstein
Viruses stole City College of S.F. data for years
Nanette Asimov via Jim Reisert
Thieves steal debit-card PIN keypads
Mark Brader
Pocket-dialed 911 calls increasingly common
Mark Brader
Who Is Flying Unmanned Aircraft in the U.S.?
EFF
Nancy G. Leveson: Engineering a Safer World
PGN
Info on RISKS (comp.risks)

Deducing causality? (Jonah Lehrer)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 9 Jan 2012 10:02:02 PST

Jonah Lehrer, Trials and Errors: Why Science is Failing Us, *WiReD* Jan 2012

http://www.wired.com/magazine/2011/12/ff_causation/all/1

Thanks to Kenneth Olthoff for spotting this one.  He commented "on how
assumptions about our ability to deduce causality sometimes lead to poor
outcomes."  Jonah Lehrer's article says that "The story of torcetrapib is a
tale of mistaken causation" relating to basing analysis on significantly
incorrect assumptions about the effects of raising HDL and lowering LDL.
"Because scientists understood the individual steps of the cholesterol
pathway at such a precise level, they assumed they also understood how it
worked as a whole."  The article suggests many broader implications relating
to modern science overall.

This may seem far afield from computer-related risks, but it is exactly the
type of problem with emergent properties that result from compositions of
subsystems.  The results are not "side-effects", but rather "effects" that
must be understood systemically, exactly as is the case with pharmaceuticals.


More on total-system issues; We are all interconnected

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 21 Jan 2012 9:37:47 PST

Fukushima radiation spreads worldwide

* The University of California at Berkeley detected cesium levels in
  San Francisco area milk above over [sic] EPA limits ... and even higher
  than they were 6 months ago.
* Finnish public television says that cesium from Fukushima has been
  detected in lichens, fungi and elk and reindeer meat in Finland.
* The Australian Radiation Protection and Nuclear Safety Agency
  confirmed a radiation cloud over the East Coast of Australia.
* The West Coast of Canada is getting hit by debris from Japan, and
  at least some of it is likely radioactive.

The authors of the controversial study claiming 14,000 deaths in the U.S. so
far from Fukushima are now upping their figure to 20,000.  [Source: author
unspecified, WashingtonsBlog, 18 Jan 2012]
http://www.washingtonsblog.com/2012/01/fukushima-radiation-spreads-worldwide.html


The Wired Car (Tom Ashbrook)

Monty Solomon <monty@roscom.com>
Tue, 24 Jan 2012 22:28:54 -0500

On Point with Tom Ashbrook, 12 Jan 2012

Detroit wants to turn your car into a rolling internet connection.  We'll
look at cars as the Web on wheels.

You may think your car has enough bells and whistles. Detroit and the rest
of the auto-making world do not. The Detroit Auto Show this week is brimming
with roll-outs and announcements and hints of a super high tech future for
cars.

Cars that are one with the Internet and GPS and your home computer and the
e-cosmos in the cloud. Cars that watch the road, watch you, watch your
Facebook page, your heart rate, your smart phone. Cars that watch each
other, like a flock of birds.

This hour, On Point: Ready or not, cars that are the "Web on wheels," and
more.

-Tom Ashbrook

Guests

* Michelle Krebs, senior analyst at Edmunds.com.
* Hiawatha Bray, tech reporter and columnist for the Boston Globe.
* Doug Newcomb, senior editor of the Technology section at Edmunds.com.
* Jim Buczkowski, director of Research and Advanced Engineering at Ford
  Motor Company.

http://onpoint.wbur.org/2012/01/12/the-wired-car
http://onpoint.wbur.org/media-player?url=http://onpoint.wbur.org/2012/01/12/the-wired-car&title=The+Wired+Car&pubdate=2012-01-12&segment=1&source=onpoint
http://audio.wbur.org/storage/2012/01/onpoint_0112_1.mp3


Risks of Instant Messaging in Indy Racing

<mlcook@wabtec.com>
Thu, 5 Jan 2012 08:49:42 -0500

A "Sports Illustrated" article, "New IndyCar race director ready to rewrite
rules" caught my eye.  Radios are currently used at the Indianapolis Motor
Speedway to communicate with drivers and their pit crews.
http://sportsillustrated.cnn.com/2012/racing/01/04/beaux.barfield.indycar.ap/index.html

The new race director, Beaux Barfield, will propose using the track's
Internet system to send instant messages instead to communicate between the
pit crews and the control tower.
Barfield believes that if instant messaging had been in use in a recent
controversial race, "All those messages would have popped right up on my
screen, and I would have seen them light up."

Instant messaging for communication during events that happen quickly and at
high speed.  Hmmm, I hope they can type fast, and that their network doesn't
have problems during the race.

What could go wrong?

  [Get SIRI-ous?  Voice-operated messages might be a little better, but
  still rather distracting for the driver.  PGN]


Passengers on British Airways warned of crash landing

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 20 Jan 2012 15:28:10 -0700

The overnight British Airways trip from Miami to London's Heathrow Airport
was thrown into panic after a recorded message mistakenly announced their
plane was about to crash in the ocean.  Thirty seconds later, a crew member
casually announced that the prerecorded announcement was played accidentally
and there was no risk.

http://www.nydailynews.com/news/world/passengers-british-airways-flight-terrified-message-warns-crash-landing-article-1.1007868

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us

[Also noted by ABCNEWS.  PGN]
http://abcnews.go.com/blogs/headlines/2012/01/british-airways-errs-in-crash-warning-to-passengers/


Lawyer Demands Pacemaker Vendor Supply Source Code

Werner U <werneru@gmail.com>
Wed, 25 Jan 2012 02:48:52 +0100

https://science.slashdot.org/story/12/01/21/1345247/lawyer-demands-pacemaker-vendor-supply-source-code

oztiks writes "Lawyer Karen Sandler's heart condition means she needs a
pacemaker to ward off sudden death. Instead of trusting that the vendor will
create a flawless platform for the device to operate, Sandler has demanded
to see the device's source code. Sandler's reasoning brings into question
the device's reliably, stability, and oddly enough, security."

http://www.zdnet.com.au/cyborg-lawyer-demands-software-source-339330089.htm


$44 million bill from Bronx-Lebanon Hospital

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 20 Jan 2012 15:38:19 -0700

Unemployed doorman Alexis Rodriguez couldn't believe his eyes when he opened
an envelope from Bronx-Lebanon Hospital last week and saw what he appeared
to owe.  His amount due was $44,776,587 for outpatient services that in
reality amounted to no more than $300.

The billing firm, PHY Services, said it was a simple mistake: The
subcontractor that prints the bills put the invoice number into the *amount
due* field.

https://www.nydailynews.com/life-style/health/44-million-bill-bronx-lebanon-hospital-article-1.1006744


Cameras may open up the board room to hackers (Nicole Perlroth)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 23 Jan 2012 9:11:09 PST

One afternoon this month, a hacker took a tour of a dozen conference rooms
around the globe via equipment that most every company has in those rooms;
videoconferencing equipment.  With the move of a mouse, he steered a camera
around each room, occasionally zooming in with such precision that he could
discern grooves in the wood and paint flecks on the wall. In one room, he
zoomed out through a window, across a parking lot and into shrubbery some 50
yards away where a small animal could be seen burrowing underneath a
bush. With such equipment, the hacker could have easily eavesdropped on
privileged attorney-client conversations or read trade secrets on a report
lying on the conference room table.

In this case, the hacker was HD Moore, a chief security officer at Rapid7, a
Boston based company that looks for security holes in computer systems that
are used in devices like toaster ovens and Mars landing equipment. His
latest find: videoconferencing equipment is often left vulnerable to
hackers. [...]

[Source: Nicole Perlroth, *The New York Times*, 22 Jan 2012]
http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=1&partner=rss&emc=rss&pagewanted=all


Belarus Is Now Home to the Internet's Most Insane Law

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Jan 2012 09:54:22 -0800

  "Belarus: small. Proud. Kvass-drinking. A long history of dubious human
  rights and piddling dictatorship. And now, bound to a law that makes it
  illegal to browse foreign websites." ...
  http://j.mp/xIK0Vk  (Sam Biddle, Gizmodo)


Top 1% NYT Readers are Consuming 50% of the text! (Kevin J. O'Brien)

Bob Frankston <Bob19-0501@bobf.frankston.com>
Sat, Jan 7, 2012 at 9:14 PM

  "The world's congested mobile airwaves are being divided in a lopsided
  manner, with 1 percent of consumers generating half of all traffic.  The
  top 10 percent of users, meanwhile, are consuming 90 percent of wireless
  bandwidth."  http://j.mp/ybfqiA (Kevin J. O'Brien, *The New York Times*)

Once again we get a story warning us that the bad people are using up the
Internet. It was in both the NYT and Macworld:

http://www.arieso.com/news-article.html?id=3D89
http://www.nytimes.com/2012/01/06/technology/top-1-of-mobile-users-use-half-of-worlds-wireless-bandwidth.html
http://www.macworld.com/article/164665/2012/01/study_iphone_4s_users_consume_the_most_data.html

What makes this version particularly odious is that it plays upon the 1%
meme. I'm well-practiced in debunking this kind of story by comparing it the
modem crisis in the 1990's when we were warned that bad people were using
modems to destroy the phone network so grandma can't make calls. This is
part of a PR offensive by the cellular industry—look at those interviewed
and all of those unnecessarily loaded words.

I know I'm not alone in this understanding but where is the critical
reporting on this subject? Typically when the press reports biased stories
in politics the politicians are supposed to defend themselves by saying the
other candidates should spend money to counter the stories. (Not a great
system but that's another subject)

In this case what is the constituency that pushes back on this story? I did
post http://rmf.vc/Plight. Where are others?

Of course it would be nice if reporters were more knowledgeable but that may
be expecting too much. There are knowledgeable reporters but they aren=92t
necessarily the ones assigned to dealing with this "story".


Vint Cerf: "Internet Access Is Not a Human Right"

Lauren Weinstein <lauren@vortex.com>
Wed, 4 Jan 2012 22:10:37 -0800

Vint Cerf op-ed in *The New York Times*
http://j.mp/wwL9Ip  (New York Times)

  "Improving the Internet is just one means, albeit an important one, by
  which to improve the human condition. It must be done with an appreciation
  for the civil and human rights that deserve protection - without
  pretending that access itself is such a right."


"Megaupload file seizure shows why many cautious about the cloud"

Gene Wirchenko <genew@ocis.net>
Mon, 23 Jan 2012 10:41:44 -0800
  (Ian Paul)

Ian Paul, Megaupload file seizure shows why many cautious about the cloud
The takedown of the file-sharing site over copyright violations provides a
warning about being careful where you store stuff. *ITBusiness*, 21 Jan 2011
http://www.itbusiness.ca/it/client/en/home/News.asp?id=65749

Megaupload users are crying foul after their personal files, not necessarily
copyright-infringing material, stored with the file-sharing service was
seized on Thursday along with a trove of illegally distributed copyrighted
works.

Some of those users took to Twitter complaining about the loss of their
files, as first reported by TorrentFreak. "I had files up there...gone
forever..and they were personal recordings! No copyright infringement!" said
Twitter user J. Amir. Another user complained that her work files were now
gone, and others used more colorful language to describe their predicament.

  See also Nancy Gohring, IDG News Service, *InfoWorld*, 20 Jan 2012:
Fake Megaupload sites pose a security risk; Some sites that could be
phishing operations claim to be the relaunched Megaupload
http://www.infoworld.com/d/security/fake-megaupload-sites-pose-security-risk-184680


Con-men set up face Facebook site asking for donations

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 20 Jan 2012 15:24:41 -0700

A grieving mother has told how Internet scammers set up a Facebook site
asking for donations to help fund a heart transplant - for her dead
daughter.  The fraudster was asking Facebook users to 'share' a link,
claiming that if 1,000 people do so, Zoe would get a free heart transplant.
Further links were placed in the captions, which directed users to a
counterfeit donation page, and then the donations were routed to the
false charity bank account via PayPal.

http://www.dailymail.co.uk/news/article-2088292/Conmen-set-Facebook-site-asking-donations-help-fund-heart-transplant-dead-toddler.html

This could have been done without Facebook, it just would have been harder.

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Hi-tech heist takes millions from South African Postbank

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 20 Jan 2012 15:35:12 -0700

A brazen hi-tech heist over three days has left Postbank, part of the South
African Post Office, out of pocket to the tune of 42 million Rand ($5.2M).
A senior IT and banking security expert said yesterday: "The Postbank
network and security systems are shocking and in desperate need of an
overhaul. This [theft ] was always going to be a very real possibility."

http://www.timeslive.co.za/local/2012/01/15/it-was-a-happy-new-year-s-day-for-gang-who-pulled-off...r42m-postbank-heist

[See also John E. Dunn, Gang pulls off $5.2 million bank job via remote access
Glaring IT weaknesses scupper South African bank, *IT Business*, 19 Jan
2012; PGN]
http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65721


Hackers post 1000s of Israeli credit card numbers

danny burstein <dannyb@panix.com>
Mon, 2 Jan 2012 22:15:00 -0500 (EST)

Saudi hackers claimed to have published the credit card details of 400,000
Israelis.

Credit card companies say only hundreds of authentic card numbers were
published in reality. A representative from Visa told Israel Radio it would
call customers in the morning to update them on the status of their
accounts.

The hackers published the list of cards, names and other personal details on
the One sports website, which was hacked...

http://www.jpost.com/International/Article.aspx?id=251943

[Also reported by Isabel Kershner in *The New York Times*, 7 Jan 2012,
Cyberattack Exposes 20,000 Israeli Credit Card Numbers and Details About Users
 PGN]
http://www.nytimes.com/2012/01/07/world/middleeast/cyberattack-exposes-20000-israeli-credit-card-numbers.html


Viruses stole City College of S.F. data for years (Nanette Asimov)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 13 Jan 2012 19:52:57 -0700

Nanette Asimov, *San Francisco Chronicle*, 13 Jan 2012

Personal banking information and other data from perhaps tens of thousands
of students, faculty and administrators at City College of San Francisco
have been stolen in what is being called "an infestation" of computer
viruses with origins in criminal networks in Russia, China and other
countries, The Chronicle has learned.

At work for more than a decade, the viruses were detected a few days after
Thanksgiving, when the college's data security monitoring service detected
an unusual pattern of computer traffic, flagging trouble.

    http://bit.ly/xIsyh9

This is the scary part:

"It's likely that personal computers belonging to anyone who used a flash
drive during the past decade to carry information home were also affected."


Thieves steal debit-card PIN keypads

Mark Brader
Mon, 9 Jan 2012 14:55:51 -0500 (EST)

Tim Hortons is a major Canadian chain of coffee-and-doughnut shops, many of
which have drive-up windows.  According to police, two thieves in Toronto
(now arrested) committed a series of thefts as follows.  They would drive to
a Tim Hortons drive-up window, order something, and ask to pay by debit.
When the clerk handed out the portable keypad for the driver to enter his
PIN, he would take out a wire cutter, cut the keypad free, and drive off
with it.

Reports say that the keypads could have been reinstalled in retail locations
after being modified into Trojan horses to capture debit card numbers and
PINs.

  http://www.cbc.ca/news/canada/toronto/story/2012/01/09/hortons-pin-machines-stolen.html

  http://news.nationalpost.com/2012/01/09/a-double-double-a-doughnut-and-your-pin-pad-two-charged-in-tim-hortons-thefts/

Mark Brader, Toronto | "Every new technology carries with it an opportunity
msb@vex.net          |  to invent a new crime"     —Laurence A. Urgenson


Pocket-dialed 911 calls increasingly common

Mark Brader
Mon, 9 Jan 2012 19:11:27 -0500 (EST)

Police here in Ontario, Canada, have been seeing a substantial increase in
the number of false-alarm calls to the emergency phone number 911 when no
call was intended at all—"pocket dialing" or "butt dialing".  Since a
call with no one talking might still be a real emergency, this ties up
police resources.

In Toronto, about 10% of 911 calls in 2011 were pocket-dialed calls.  One of
them came from the acting deputy police chief while he was playing golf;
another caller said "I call you guys, like, every day... if you see my
number, it's an accident".  The statistics are even worse in some outer
parts of the Greater Toronto Area, which I suppose have fewer genuine
emergencies per capita: 14% in Halton Region, 33% in Peel Region, and 37% in
York Region!

Police are now campaigning to ask cellphone users to "lock it before you
pocket", but some smartphones can dial 911 even when the phone is locked.

* http://news.nationalpost.com/2012/01/09/ontarios-911-lines-being-smothered-by-pocket-dials/
* http://www.thestar.com/news/article/1112495--any
* http://www.yorkregion.com/news/article/1276413--any
* http://www.torontosun.com/2012/01/08/cops-concerned-about-mistaken-911-call

Mark Brader, Toronto | Subway Emergency Instructions...
msb@vex.net          | * Do not pull the emergency cord.  —MTA, NYC


EFF: Who Is Flying Unmanned Aircraft in the U.S.?

EFF Press <press@eff.org>
Tue, Jan 10, 2012 at 7:33 PM

Government Withholds Information on Drone Flight Authorizations

San Francisco - The Electronic Frontier Foundation (EFF) filed suit today
against the U.S. Department of Transportation (DOT), demanding data on
certifications and authorizations the agency has issued for the operation of
unmanned aircraft, also known as drones.

Drones are designed to carry surveillance equipment—including video
cameras, infrared cameras and heat sensors, and radar—that can allow for
sophisticated and almost constant surveillance.  They can also carry
weapons.  Traditionally, drones have been used almost exclusively by
military and security organizations.  However, the U.S.  Customs and Border
Protection uses drones inside the United States to patrol the U.S. borders,
and state and local law enforcement are increasingly using unmanned aircraft
for investigations into things like cattle rustling, drug dealing, and the
search for missing persons.

Any drone flying over 400 feet needs a certification or authorization from
the Federal Aviation Administration, part of the DOT.  But there is
currently no information available to the public about who specifically has
obtained these authorizations or for what purposes.  EFF filed a Freedom of
Information Act request in April of 2011 for records of unmanned aircraft
activities, but the DOT so far has failed to provide the information.

"Drones give the government and other unmanned aircraft operators a powerful
new surveillance tool to gather extensive and intrusive data on Americans'
movements and activities," said EFF Staff Attorney Jennifer Lynch.  "As the
government begins to make policy decisions about the use of these aircraft,
the public needs to know more about how and why these drones are being used
to surveil United States citizens."

Dozens of companies and research organizations are working to develop even
more sophisticated drones, so their use is poised for a dramatic expansion
in the coming years.  Meanwhile, news reports indicate that the FAA is
studying ways to integrate more drones into the national airspace because of
increased demand from federal, state, and local governments.  EFF's lawsuit
asks for immediate response to our FOIA request, including the release of
data on any certificates and authorizations issued for unmanned aircraft
flights, expired authorizations, and any applications that have been denied.

"The use of drones in American airspace could dramatically increase the
physical tracking of citizens =96 tracking that can reveal deeply personal
details about our private lives," said Lynch.  "We're asking the DOT to
follow the law and respond to our FOIA request so we can learn more about
who is flying the drones and why."

Jennifer Lynch,  Staff Attorney,  Electronic Frontier Foundation
jlynch@eff.org   +1 415-436-9333 x136

For the full complaint:
https://www.eff.org/sites/default/files/filenode/EFFDroneComplaint.pdf
For more on this case:
https://www.eff.org/deeplinks/2012/01/drones-are-watching-you
Find out more at https://www.eff.org.


Nancy G. Leveson: Engineering a Safer World

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 23 Jan 2012 16:27:59 PST

This book presents an approach to the design and development of systems with
stringent safety requirements.  It is based on Nancy's STAMP model for
safety, which she has been developing and applying for the past decade.  The
book is counter-cultural in many respects, and may be of significant
interest to some of you particularly involved in system safety.  It is by no
means a complete approach to developing safe systems, but it may have
considerable merit as one more structured approach.

Nancy G. Leveson
Engineering a Safer World:
  Systems Thinking Applied to Safety
MIT Press, 2011, xx+534

A brief overview of the Table of Contents gives you an idea of the scope of
the book.

Foundations:
  Why Do We Need Something Different?
  Questioning the Foundations of Traditional Safety Engineering
  System Theory and its Relationship to Safety
STAMP: An Accident Model Based on System Theory
  A Systems-Theoretic View of Causality
  A Friendly Fire Accident
Using STAMP
  Engineering and Operating Safer Systems using STAMP
  Fundamentals
  STPA: A New Hazard Analysis Technique
  Safety-Guided Design
  Integrating Safety into System Engineering
  Analyzing Accidents and Incidents (CAST)
  Controlling Safety during Operations
  Managing Safety and the Safety Culture
  SUBSAFE: An Example of a Successful Safety Program
Four Appendices:
  Definitions
  The Loss of a Satellite
  A Bacterial Contamination of a Public Water Supply
  A Brief Introduction to System Dynamics Modeling
References
Index

Please report problems with the web pages to the maintainer

Top