The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 91

Wednesday 11 July 2012


Stuxnet Parallels to Voting Security
Rebecca T Mercuri
Campaigns to Track Voters with "Political Cookies"
Lauren Weinstein
A320 Lost 2 of 3 Hydraulic Systems on takeoff
Risks of the Spent Fuel Pool in Reactor Building 4 at Fukushima Daiichi
Peter Bernard Ladkin
More on Fukushima
Richard I. Cook via PGN
San Diego fireworks suffer a *slight* glitch...
David Lesher
Botched computer "upgrade" in sixth day of transactions chaos at RBS
Peter Bernard Ladkin
RBS computer failure condemns man to spend weekend in the cells
Gabe Goldberg
Time isn't on my side; Lesson: Look before you leap...
Henry Baker
Drones: Yet another reason to keep your sextant at hand
Danny Burstein
Scientists crack RSA SecurID 800 tokens, steal cryptographic keys
Lauren Weinstein
Bugs in source code cannot be used in DUI cases in Minnesota
Ben Blout
RAND: Cyberdeterrence and Cyberwar
Lauren Weinstein
France shutting down their /once groundbreaking/ Minitel service
Lauren Weinstein
UK considers broad Web site blocking by default
Lauren Weinstein
Info on RISKS (comp.risks)

Stuxnet Parallels to Voting Security

RTMercuri <>
Tue, 10 Jul 2012 12:45:13 -0400

I had occasion to attend the NIKSUN World Wide Security and Mobility
Conference (WWSMC) on July 9, 2012 in Princeton, NJ. The day's closing
speaker was Mr. Barry Lyons, CISSP, Cyber Architect, Northrop Grumman
Information Systems, on the topic of "STUXNET/FLAME: The Next Generation of
Hideous Cyber Attacks." During the Q&A session at the end of the talk, I
questioned Barry's characterization of the STUXNET components as "new" and
"game changing" and asked him what led him to believe this was the case,
especially since prior research (such as in voting machines) had already
revealed many similar vulnerabilities and potential exploits. In response,
he hopped down off of the stage (he was wearing a wireless microphone),
traveled through a large portion of the audience to just in front of where I
was sitting, and asserted that voting machines were somehow different
because they were "computers." (The talk as well as the Q&A portion was
recorded by IEEEtv, and I will provide a link when it becomes available, to
the Risks Digest.)

I thought that readers of Risks would be interested in seeing my follow-up
email message to Mr. Lyons (prompted by his suggestion that we should
continue the conversation later), along with his insightful reply (at the

- - --- Original Message -----
Subject: Your Stuxnet Talk
Date: Tue, 10 Jul 2012 11:18:59 -0400
From: RTMercuri <>

Barry --

Apparently I hit a nerve last evening with my question about the potential
exploits of programmable logic controllers having been warned about, years
prior to the advent of Stuxnet. Upon returning home, I glanced through my
Ph.D. dissertation (Electronic Vote Tabulation: Checks & Balances, publicly
defended October 27, 2000 at the School of Engineering and Applied Science
of the University of Pennsylvania, freely downloadable at, and located (pages
49-50) the portion of the paragraph that I had recalled writing some 12
years ago, as follows:

"But just because tampering with the software may not be the easiest method
does not mean that it has not or will not be done. Thompson's [Footnote: Ken
Thompson, "Reflections on Trusting Trust," Communications of the ACM, August
1984] implication is that the hooks and backdoors, particularly those within
compilers and operating systems, exist and have already been proliferated
invisibly throughout the industry. Under this view, software rigging is
assumed to have already happened, rather than just a speculative
possibility. One could extend these assumptions as well to the
hardware. Presently there is nothing that restricts vendors from using
custom integrated circuit chips in the DREs [Direct Recording Electronic
voting machines], and some do, even for the CPUs.  It is not inconceivable
that a crafty individual could devise a set of microcoded instructions that
would be activated only under certain situations. Reliance on any particular
vendor or brand of components would therefore increase vulnerability. Some
chips now even permit internally reconfigurable microcode as well as
microarchitecture, and such a self-modifying CPU could erase any trace of
its own subroutines once they were executed. With election dates and times
being well-known and predictable, this could occur within the space of
microseconds during the voting session."

This description is most certainly generically predictive of targeted
long-term attacks on specialized hardware, from particular vendors,
established in air-gapped networks, that can exploit vulnerabilities such as
those presented with programmable logic controllers. As well, numerous
researchers (including Harri Hursti in 2005 and Ed Felten in 2006) have
repeatedly demonstrated that removable memory units (such as those that
establish ballot configurations for elections) can be compromised such that
the system will generate false reports, as well as assist in the
dissemination of malware that is transferable from machine to machine. The
parallels to Stuxnet are clearly obvious.

I had thought that you would welcome the opportunity to explain, or at least
acknowledge, to the WWSMC conference audience, the fact that many salient
aspects of the Stuxnet approach were indeed exploits of long-known
vulnerabilities. Instead, I was rather surprised that you chose to continue
with head-in-the-sand assertions that Stuxnet was somehow new and also a
"game changer." I recognize that it is embarrassing that your employer,
Northrop Grumman (and many other large firms relied on by the U.S. and other
governments to provide security advice and protection), was caught with its
pants down in being unaware of particular design flaws common to many
critical infrastructure systems (including those that elect the officials
that authorize payment for your security analysis and training contracts
with our tax dollars).  But to pretend that the possibility of such attacks
had not been well-publicized by highly-regarded computer security experts,
years before Stuxnet, is foolhardy, since it perpetuates the illusion that
systems developers need not keep abreast of all such advance warnings in the
scientific literature.

Certainly, rogue government agents, malcontents, and recreational hackers,
have their ears to the ground in monitoring these computer security
discussions, as their proof-of-concept attacks continue to illustrate. This
started with the Morris Worm in 1988, with its exploit of UNIX security
flaws previously exposed by the hacker's father (some believe that the elder
Morris may have intentionally put his son up to the challenge or
conveniently provided the tools and information necessary to perform the
attack, after the scientist's earlier admonishments in this regard were not
taken seriously by the technical community). Indeed, Robert Sr.'s remarks
(to the NY Times, November 5, 1988), that the worm "has raised the public
awareness to a considerable degree" and that "it is likely to make people
more careful and more attentive to vulnerabilities in the future," are not
much different, especially in their naivete, from your "game changer"

As you continue in your role as a security evangelist, I would urge you to
modify your take-home messages, such as in talks on Stuxnet and other
NextGen attacks, to include warnings that the development of malware does
not occur in a vacuum. Security experts need to be as well-informed (if not
more so) on the evolving exploitable design flaws, as those who intend to
compromise it already are. If not, then we are most certainly conceding the
future CyberWars to the opposition. In fact, we may have already lost the
upcoming battles. Good predictive security means that fewer reactive
band-aids should need to be used and less loss may occur.  In this regard,
Dr. Pruthi and his colleagues at NIKSUN are to be commended for raising the
bar on "knowing the unknown" especially by bringing such warnings to the
attention of the security community while there is still time to consider
redesigns, instead of encouraging reliance on after-the-fact mitigation

I welcome your thoughts and hope to continue this dialogue.

Rebecca Mercuri, Ph.D., Notable Software, Inc.

-—----- Reply --------
Subject: Re: EXT :Your Stuxnet Talk
Date: Tue, 10 Jul 2012 16:10:52 +0000
From: Lyons, Barry (IS) <>
To: '' <>

Dear Dr. Mercuri,

Wishing you success in all endeavors.

Barry Lyons, CISSP
Sent from BlackBerry - please forgive errors.

Campaigns to Track Voters with "Political Cookies"

Lauren Weinstein <>
Wed, 27 Jun 2012 08:07:16 -0700  (Technology Review via NNSquad)

  "The firm gathers publicly available voter files from all 50 states and
  supplements this with records of political donations and other profiles
  purchased from commercial data brokers, says CEO Jeff Dittus.  Then,
  working with about 100 high-traffic websites that register their users,
  they can match the offline data to the online identities of individuals."

While I generally feel that way too much angst is directed Web site ad
personalization and related tracking, the creepy line is breached for me
when non-Web activities (and related identity linkages at some level) are
merged with online actions, especially without users' active notification
and specific informed consent.  This is particularly of concern when
political activities are involved, since the main goal of such systems seems
to be to pitch what cynical observers of the political process might call
personalized lies.  The underlying technology is not new.  I've been
publicly discussing what I consider to be abuses in this realm by Aristotle,
in postings I've made since late in the last century!  And to see Aristotle
now salivating at the prospect of how online voting would play into all this
has to be one of the most chilling warnings against the utterly unworkable
and dangerous concept of online voting that has yet been explicitly stated,
albeit unintentionally.

A320 Lost 2 of 3 Hydraulic Systems on takeoff

"Peter G. Neumann" <>
Mon, 25 Jun 2012 10:34:30 PDT

Interesting story from [Thanks to Ira Rimso.n]

A JetBlue A320 on a flight from Las Vegas to New York Tuesday reportedly
lost two of its three hydraulic systems during the flight, which forced the
pilot to circle an area south the Nevada city for four hours burning off
enough fuel to make a safe landing. Passengers described the experience as
the airplane "careening wildly through the sky" as it made steep turns and
"lurched from side to side."

One of the pilots of the plane told ATC that "we've lost two hydraulic
systems," and declared an emergency, according to a report in the New York
Post. JetBlue confirmed that the incident occurred.

The plane, which had just departed from Las Vegas, carried five hours of
fuel. The A320 is unable to dump fuel, so the pilot had to stay airborne
while it was burned off. One passenger described the flight as "four hours
of hell." Another described "an obvious metal screeching" just as the
airplane lifted off from McCarran International Airport.

Dave Esser, an ERAU professor based in Florida, said that the side-to-side
swerving was a likely sign of a loss of lateral control. But Esser said the
passengers were not in serious danger because of the backup systems and
redundancies built into the Airbus. However, an Airbus manual indicated
that the simultaneous failure of two hydraulic systems is "improbable in

The airplane did eventually land safely. The FAA and NTSB will conduct an

Risks of the Spent Fuel Pool in Reactor Building 4 at Fukushima

Peter Bernard Ladkin <>
Tue, 26 Jun 2012 08:07:21 +0200
  Daiichi (Yurman, RISKS-28.87)

In RISKS-28.87, Dan Yurman tries to reassure us about the state of the Spent
Fuel Pool in Reactor Building 4 at Fukushima Daiichi nuclear power
plant. Yurman cites an article by Will Davis on a blog at the American
Nuclear Society.

Yurman's note seems to me to be little more than propaganda, and Davis's
account is flawed. There are obvious reasons to continue to worry about the
state of this Spent Fuel Pool (SFP4), about its structural stability, as
well as the continued viability of its ad-hoc cooling system.

As far as I know, there is no public hazard analysis of the state of SFP4;
neither do I know of an engineering assessment of it independent of Tepco.

Such an independent assessment seems to me to be required. There are
instances in which engineering representations in which Tepco has been
involved, for example assessing the INES Level of the situation at Reactors
5 and 6, have misled as to the true situation. That is surely something
which would have been noted in an adequate report on engineering
performance, yet Tepco has recently produced one and "exonerates itself",
according to the New York Times' Hirok Tabuchi.
It "never hid information, never underplayed the extent of fuel meltdown and
certainly never considered abandoning the ravaged site. It asserts that
government interference in the disaster response created confusion and

The worst case outcome of a structural failure of SFP4 is nowhere near
benign, as Davis suggests.  The chances of that worst-case outcome are
neither zero nor negligible. These two observations alone suffice to vitiate
the claims of Yurman and Davis.

I wrote an extended essay at

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited


"Peter G. Neumann" <>
Sun, 8 Jul 2012 9:13:20 PDT

  [From Richard I. Cook, MD]

Chairman's message

“...nuclear power became an unstoppable force, immune to scrutiny by civil
society. Its regulation was entrusted to the same government bureaucracy
responsible for its promotion. At a time when Japan's self-confidence was
soaring, a tightly knit elite with enormous financial resources had
diminishing regard for anything `not invented here.'

“This conceit was reinforced by the collective mindset of Japanese
bureaucracy, by which the first duty of any individual bureaucrat is to
defend the interests of his organization. Carried to an extreme, this led
bureaucrats to put organizational interests ahead of their paramount duty to
protect public safety.

“Only by grasping this mindset can one understand how Japan's nuclear
industry managed to avoid absorbing the critical lessons learned from Three
Mile Island and Chernobyl; and how it became accepted practice to resist
regulatory pressure and cover up small-scale accidents. It was this mindset
that led to the disaster at the Fukushima Daiichi Nuclear Plant...''

San Diego fireworks suffer a *slight* glitch...

David Lesher <>
Thu, 05 Jul 2012 19:59:59 -0400

and a 20+ minute show goes off in 15 seconds....

I'm shocked to read that:

  Garden State co-owner August Santore spoke to KPBS media partner Channel
  10 News. He said the mishap wasn't due to human error or firework
  technology, but to a corrupt computer file.


  [Corrupt, eh?  I'm really shocked that a computer file would be so evil.

Botched computer "upgrade" in sixth day of transactions chaos at RBS

Peter Bernard Ladkin <>
Tue, 26 Jun 2012 07:39:01 +0200

Last Tuesday, 19 Jun 2012, the Royal Bank of Scotland upgraded a computer
system associated with transaction processing. It didn't go well. The
transaction-processing system, which apparently processes up to 10 million
transactions per day, was not able to keep up with demand.

*The Guardian* is reporting that up to 13 million customers of RBS and
subsidiary banks, including NatWest and Ulster Bank, have been unable to
access account information. Payments, including automatic payments on loans,
have not been made. The Financial Services Authority, which regulates
banking and finance in GB, is demanding a "complete account" of the

The bank branches have been opened later hours until 7pm, to enable personal
transactions for people after work, and were also open Sunday, for which
7,000 temporary staff were hired, according to the Guardian.

I have no technical details. The public reports seem to be somewhat shy of
details. I don't know whether it is SW, HW, or SW+HW, and I don't know which
system is involved; whether it is the transaction-processing system itself
or some other interconnected system.

Stephen Hester, chief executive of RBS, says the bank is "well on the way to
recovery" from the problems. Reports from customers on Monday, 25 June, were
that many were no longer experiencing problems.

Suppose that such computerised highly-connected transaction-processing
systems have been in place for 40 years (Wikipedia suggests that the first
"modern" ATMs, which were enabled for simultaneous transaction processing,
came into use in 1972 in the UK, although I remember them first from Wells
Fargo Bank in California in the mid-late 1970's.) At 8,760 hours in the year
(or 8,784 in a leap year), 40 years represents about 350,000 operating
hours. Looking at it another way, if there is a major system upgrade once a
week, then 40 years represents about 20,000 system upgrades. Not that these
figures give much of a guide to reliability (for example, the systems have
changed almost unrecognisably in this time), upgrading a running TP system
seems not to be an operation which one would call ultrareliable, given the
meaning of that term in the critical-systems community.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

  [Also noted by Wendy Grossman.  PGN]

RBS computer failure condemns man to spend weekend in the cells

Gabe Goldberg <>
Tue, 26 Jun 2012 10:36:12 -0400

Companies are of course responsible for problems caused by shortcuts,
mistakes, malfeasance. But it's not clear who's the villain here—if there
is one. Offshoring jobs is mentioned but not conclusively implicated. The
company's mostly apologetic tone seems appropriate (though more explanation
would have helped) and the last couple sentences are correct:

Things go wrong. Things go wrong in technology. We have to learn the lessons
from what went wrong here and try to make then less likely to happen in the

RBS computer failure condemns man to spend weekend in the cells - Telegraph
[Source: *The Telegraph*]

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

Time isn't on my side; Lesson: Look before you leap...

Henry Baker <>
Tue, 03 Jul 2012 07:57:15 -0700

"Yelp (YELP), Reddit, and LinkedIn (LNKD) all suffered problems from the
addition of a "leap second" at midnight on Saturday, aimed at synchronizing
Internet time with the atomic clocks of real time.  Those systems with
configurations expecting 60 second minutes were knocked down, and although
they quickly got back up it was embarrassing."

Drones: Yet another reason to keep your sextant at hand

danny burstein <>
Thu, 28 Jun 2012 15:45:36 -0400 (EDT)

Commercial Drones and GPS Spoofers a Bad Mix

Researchers at the University of Texas at Austin Radionavigation Laboratory
have successfully demonstrated that a drone with an unencrypted GPS system
can be taken over by a person wielding a GPS spoofing device.  You can see a
video accompanying a Fox News story on it, as well as a video here of an
experiment conducted by the researchers, led by Professor Todd Humphreys.

Humphreys and company were recently invited by the U.S. Department of
Homeland Security (DHS) to demonstrate whether their capability to
successfully spoof commercial GPS systems in the laboratory could work in
the field. ...

The UT researchers took equipment costing about $1000 to the White Sands
Missile Range in New Mexico last week and showed observers from both the
Federal Aviation Administration (FAA) and DHS how control of a test drone
could be taken away from its original overseers. The UT researchers, as the
above article notes, have been able to take control of basically every type
of unencrypted commercial GPS system in their laboratory.


popular news article:

Note that this is _unencrypted_ GPS, but that's a hefty chunk of the users.

  [Also noted by Paul Saffo.  PGN]

Scientists crack RSA SecurID 800 tokens, steal cryptographic keys

Lauren Weinstein <>
Mon, 25 Jun 2012 08:38:07 -0700  (ars technica via NNSquad)

  "The exploit, described in a paper to be presented at the CRYPTO 2012
  conference in August, requires just 13 minutes to extract a secret key
  from RSA's SecurID 800, which company marketers hold out as a secure way
  for employees to store credentials needed to access confidential virtual
  private networks, corporate domains, and other sensitive environments. The
  attack also works against other widely used devices, including the
  electronic identification cards the government of Estonia requires all
  citizens 15 years or older to carry, as well as tokens made by a variety
  of other companies."

Bugs in source code cannot be used in DUI cases in Minnesota

Ben Blout <>
Mon, 2 Jul 2012 23:09:43 -0400 (EDT)

A ruling from the Minnesota Supreme Court means that defendants will not
be able to use  the source code for the Intoxilyzer breath-test machine
in their legal defense.  (These machines are used to determine blood
alcohol levels for DUI cases, and are known colloquially as breathalyzers.)

An earlier ruling found that the source code contained bugs, including
one that caused the proximity of a cell phone during testing to affect
results.  However, the Supreme Court ruled that the Intoxilyzer was
accurate by a preponderance of the evidence.

An earlier, including mention that the replacement devices include their
source code:

RAND: Cyberdeterrence and Cyberwar

Lauren Weinstein <>
Thu, 28 Jun 2012 12:34:14 -0700  (RAND [PDF] via NNSquad)

  "Cyberwar is nothing so much as the manipulation of ambiguity. The author
  explores these topics in detail and uses the results to address such
  issues as the pros and cons of counterattack, the value of deterrence and
  vigilance, and other actions the United States and the U.S. Air Force can
  take to protect itself in the face of deliberate cyberattack."

France shutting down their /once groundbreaking/ Minitel service

Lauren Weinstein <>
Wed, 27 Jun 2012 22:05:19 -0700  (BBC [Video])

  "France is switching off its groundbreaking Minitel service which brought
  online banking, travel reservations, and porn to millions of users in the
  1980s.  But then came the worldwide web. Minitel has been dying slowly and
  the plug will be pulled on Saturday."

UK considers broad Web site blocking by default

Lauren Weinstein <>
Wed, 27 Jun 2012 19:30:01 -0700  (BBC via NNSquad)

   "The government is to consider putting extra pressure on computer users
   to filter out pornography when setting up Internet accounts.  Ministers
   are suggesting that people should automatically be barred from accessing
   unsuitable adult material unless they actually choose to view it.  It is
   one of several suggestions being put out for a consultation on how to
   shield children from pornography.  Websites promoting suicide, anorexia
   and self-harm are also being targeted."

The good old UK police state mentality marches on.  And of course, if
you ask to have the blocks lifted, you automatically go on Her
Majesty's government "pervert" list.

Please report problems with the web pages to the maintainer