The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 92

Tuesday 17 July 2012

Contents

Major Snafu in New Zealand Election was 'Human Error'
Chris J Brady
FDA spied on its own people - and then the evidence leaked
Peter Houppermans
Deep packet inspection device purged of flaw that threatened TOR users
Ars Technica via Lauren Weinstein
Cyberoam fixes SSL snooping hole in network security appliances
Lucian Constantin via Gene Wirchenko
Privacy trumps cybersecurity!
PGN
Wireless Device syncs through anyone's computer
Richard Karash
In the UK, encryption implies potential guilt?
Lauren Weinstein
China censoring video
Didi Tang via Rodney Van Meter
FCC chief blasts Russia for passing Internet censorship bill
Brendan Sasso via Dewayne Hendricks
Yahoo Passwords Stolen in Latest Data Breach
Drew Fitzgerald via Monty Solomon
American Express security cluelessness
Jonathan Kamens
Re: San Diego fireworks suffer a *slight* glitch
Joel Garry
Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff
Roger Hird
Re: RBS computer failure condemns man
Martin Ward
Chris D.
Re: UK considers broad Web site blocking by default
Chris D.
Re: Taxing old browsers out of existence
Jonathan Kamens
Announcement of civil timekeeping meeting
Rob Seaman
Info on RISKS (comp.risks)

Major Snafu in New Zealand Election was 'Human Error'

Chris J Brady <chrisjbrady@yahoo.com>
Wed, 11 Jul 2012 06:09:50 -0700 (PDT)

Human error is being blamed for the TECT election blunder where 10,000
election packs were sent to old or incorrect addresses. [Why did the
database have old or incorrect addresses in it in the first place? - CJB]

An error in setting the parameters in establishing the TECT election voter
database resulted in the error, estimated to cost about NZ$80,000.
TrustPower spokesman Graeme Purches says: “the search parameters used when
separating eligible voters from the company's everyday database had not been
broad enough. It was just a human error, simple as that. It was for a
purpose that we don't normally use it for.''

[Using casual NZ-speak for dumbing down the snafu - CJB] he continued: “It
involves going into the system and setting a bunch of parameters. The person
who did it didn't set the parameters correctly and then the thing wasn't
tested.''  [Er - what's a 'bunch of parameters' - ah - yes 'search
constraints.']  He added: “This is a request that happens once every two
years, so somebody was doing something they don't normally do as part of
their job and, unfortunately, we didn't have the checks and balances in
place to make sure it was done absolutely correctly.''  [Nothing like a
trial run then?  -> CJB]

http://www.sunlive.co.nz/news/28228-human-error-caused-tect-botchup.html


FDA spied on its own people - and then the evidence leaked

Peter Houppermans <peter@houppermans.com>
Sun, 15 Jul 2012 13:09:22 +0200

A absolute classic example of what can happen if surveillance isn't very
tightly controlled, the FDA's attempts to find an insider leak came off the
rails in a way that will be costly in both financial and human terms.

http://www.nytimes.com/2012/07/15/us/fda-surveillance-of-scientists-spread-to-outside-critics.html?_r=1
http://j.mp/PURO0p

"In Vast Effort, F.D.A. Spied on E-Mails of Its Own Scientists
Eric Lichtblau and Scott Shane, *The New York Times*, 14 Jul 2012

  A wide-ranging surveillance operation by the Food and Drug Administration
  against a group of its own scientists used an enemies list of sorts as it
  secretly captured thousands of e-mails that the disgruntled scientists
  sent privately to members of Congress, lawyers, labor officials,
  journalists and even President Obama, previously undisclosed records
  show."

This is exactly the scenario I offer those who think they have nothing to
hide: after abuse of intercept capability, the second risk is not what
people in an official capacity see (it's their job), it's what happens when
that information escapes into the wild through malice or incompetence.  The
privilege of the ability to violate the basic human right to privacy to
fight crime must be guarded jealously and should only be exercised with
oversight.

The question "what do you have to hide" is in my opinion reserved for those
who seek to avoid accounting for their call on that privilege.

Note that the FDA has come up with a new "crime": people are "guilty of
RECEIVING confidential information".

Unbelievable..

Peter Houppermans, President, Private & Confidential Group (PnCG), Switzerland


Deep packet inspection device purged of flaw that threatened TOR users

Lauren Weinstein <lauren@vortex.com>
Mon, 9 Jul 2012 15:54:17 -0700

http://j.mp/NaSQDz  (ars technica)

  "Examination of a certificate chain generated by a Cyberoam DPI device
  shows that all such devices share the same CA certificate and hence the
  same private key," TOR researcher Runa A. Sandvik wrote in a blog post
  published last Tuesday. "It is therefore possible to intercept traffic
  from any victim of a Cyberoam device with any other Cyberoam device-or to
  extract the key from the device and import it into other DPI devices, and
  use those for interception." Someone commenting on the post went on to
  publish the purported private key used by the Cyberoam certificate.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org


Cyberoam fixes SSL snooping hole in network security appliances

Gene Wirchenko <genew@ocis.net>
Tue, 10 Jul 2012 20:39:58 -0700
  (Lucian Constantin)

Lucian Constantin, *InfoWorld*, 9 Jul 2012
Cyberoam issues a hotfix for UTM appliances after the default private
key used for SSL traffic inspection gets leaked online
http://www.infoworld.com/d/security/cyberoam-fixes-ssl-snooping-hole-in-network-security-appliances-197299


Privacy trumps cybersecurity!

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 11 Jul 2012 20:25:48 PDT

Interesting analysis, in that many people don't understand the implications
of the loss of privacy *or* of the nonexistence of meaningful cybersecurity.

http://nationaljournal.com/daily/privacy-trumps-cybersecurity-poll-shows-20120710


Wireless Device syncs through anyone's computer

Richard Karash <richard@karash.com>
Tue, 10 Jul 2012 15:52:22 -0400

FitBit is a personal pedometer in a tiny package. Also records your
sleep. Connects wirelessly through a very modest "base station" connected by
USB to your computer. The wireless connection is ANT 2.4GHz from Nordic, and
ANT FS file protocol. Your FitBit data is harvested anytime you are near
your base station, sent to their Cloud (a web site) for your
inspection. Page displays your data and last sync time.

I became suspicious when I found my data was updated when I hadn't been near
my base station and computer.

As just confirmed by the manufacturer at fitbit.com, every FitBit pedometer
syncs through any base station that it happens to encounter.  Unless the
whole transaction is encrypted, Eve could watch the the communications stack
or use the APIs to configure a base station to harvest this data.

Risk: Not much in this specific case; my pedometer data isn't very
sensitive, but I am more concerned that others might know exactly when I
went to sleep, got up, and how many times I awoke during the night. What if
a manufacturer of a richer device adopted the same practice? Your contacts
or worse, visible to any Eve who wants to collect data?


In the UK, encryption implies potential guilt?

Lauren Weinstein <lauren@vortex.com>
Thu, 12 Jul 2012 18:37:08 -0700

In The UK, You Will Go To Jail Not Just For Encryption, But For Astronomical
Noise, Too

http://j.mp/Sf2EwT  (Falkvinge via NNSquad)

  "There was some surprise in the comments of yesterday's post over the fact
  that the United Kingdom has effectively outlawed encryption: the UK will
  send its citizens to jail for up to five years if they cannot produce the
  key to an encrypted data set."


China censoring video (Didi Tang)

Rodney Van Meter <rdv@sfc.wide.ad.jp>
July 12, 2012 9:43:40 PM EDT

Didi Tang, *CIO Today*, July 12, 2012 [via Dave Farber's IP]
At the same time Russia is increasing Internet censorship, so is China.
China Tightens Up Online Video Censorship
http://www.cio-today.com/news/China-To-Censor-Online-Video-Content-/story.x=html?story_id=030002R9QVAU

If you run a video web site in China, you now have a daunting task: Screen
all your content and censor out anything questionable before posting.
Regulators say video providers should bear responsibility for web programs,
though it did not offer specific standards or mention penalties for online
providers who fail to comply.


FCC chief blasts Russia for passing Internet censorship bill

<*Dewayne Hendricks*>
Thursday, July 12, 2012
  (Brendan Sasso)

Brendan Sasso, *The Hill*, 12 Jul 2012
http://thehill.com/blogs/hillicon-valley/technology/237515-fcc-chief-blasts-russia-for-passing-internet-censorship-bill

Julius Genachowski, chairman of the Federal Communications Commission (FCC),
issued a statement late Wednesday slamming Russia for passing a bill that
would allow the government to blacklist certain websites.

He said the country had moved in a "troubling and dangerous direction."

"The world's experience with the Internet provides a clear lesson: a free
and open Internet promotes economic growth and freedom; restricting the free
flow of information is bad for consumers, businesses, and societies," he
said.

The FCC chief explained that he recently attended an economic forum in
Russia where he discussed how expanding broadband Internet access can grow a
country's economy and improve education, health care and government
services. He argued that a free and open Internet is essential to meeting
those goals.  "I believe this legislation will stifle investment in
broadband and impede innovations that could advance Russia's promising
Internet economy," Genachowski said.

The Russian Duma, its lower house of Parliament, approved the controversial
bill unanimously on Wednesday. The measure would give the government the
power to force site owners and Internet providers to shut down blacklisted
sites. Supporters of the bill say it is aimed at curbing child pornography
and sites that promote drug use or suicide.

But critics warn it is attempt to stifle political dissent in a country
where the government already owns the television stations. The Russian
Wikipedia blacked itself out earlier this week in protest, warning the bill
would create the Russian version of China's "great firewall," which allows
the government to filter Internet content.


Yahoo Passwords Stolen in Latest Data Breach (Drew Fitzgerald)

Monty Solomon <monty@roscom.com>
Fri, 13 Jul 2012 00:14:53 -0400

Drew Fitzgerald, Yahoo Passwords Stolen in Latest Data Breach,
*Wall Street Journal*, 12 Jul 2012

Yahoo Inc. said it is investigating a data breach that allowed a hacker
group to download about 453,000 unencrypted user names and passwords in
another black eye for the Internet company.

The Sunnyvale, Calif., company said Thursday that the compromised user
information belongs to Yahoo Voices, a self-publishing service once known as
Associated Content. A hacking organization called D33Ds Co. posted the
stolen data on its website and appended a note describing the download "as a
wake-up call and not as a threat." The group said it aims to expose Yahoo's
vulnerabilities.

Yahoo said that less than 5% of the Voices accounts had still-valid
passwords, though the file disclosed email addresses from hundreds of
thousands of users.

Some people registered for the Yahoo service using email addresses from
other services such as AOL Inc. and Google Inc.'s Gmail, neither of which
were hacked. But with users' Yahoo Voices passwords exposed online, those
users who shared passwords across several websites could still see other
accounts compromised.

Yahoo said in an emailed statement that it is fixing the vulnerability that
led to the data breach. The company also said it is changing affected users'
passwords and notifying companies with accounts that might have been
compromised.

Constellation Research analyst Ray Wang said Yahoo apparently fell prey to
an extremely common kind of database attack that most companies typically
take steps to combat.  ...

http://online.wsj.com/article/SB10001424052702304373804577522613740363638.html


American Express security cluelessness

Jonathan Kamens <jik@kamens.us>
Wed, 4 Jul 2012 18:58:50 -0400

American Express called me today to discuss an issue with my (corporate)
card. They left a voicemail message telling me to call them back. The number
they gave was different than the number on the back of my card. I called it,
and the first thing I heard was a recorded voice asking me to enter my
credit card number. I hung up and called the number on the back of the card.

It turns out the call was legitimate, but it could just have easily been a
social engineering attempt to get my AmEx card number and other data.

It's distressing that AmEx, which really should know better, is too stupid
to understand that they should not be conditioning their customers to call
random telephone numbers based on nothing more than a generic voicemail
message. "Please call the number on the back of your card" would be a far
better idea.


Re: San Diego fireworks suffer a *slight* glitch (Lesher, RISKS-26.91)

jgar the jorrible <joel-garry@home.com>
Thu, 12 Jul 2012 14:12:05 -0700 (PDT)

The company has an official statement:
http://www.bigbayboom.com/wp-content/uploads/2012/07/BBBFS-Garden-State-News-Release-July-11-2012.pdf

  "Before the two files are loaded into each of the five computer
  controllers, the primary and the secondary file are merged through the
  software to create a new file that is then loaded into each of the
  controllers. During the downloading process, an unintentional additional
  procedural step occurred in the loading process which allowed the creation
  of an anomaly that 'doubled' the primary firing sequence. The primary
  sequence then consisted of a sequence that would fire the entire display
  simultaneously and then proceed to fire the display in the proper
  sequence."

I wonder what that additional procedural step was?  Shaky fingers on
control-v paste?


Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff (RISKS-26.91)

Roger Hird <rl.hird@orpheusmail.co.uk>
Wed, 11 Jul 2012 19:25:53 +0100

There was a substantial exchange of INFORMED professional comment on this
incident in the Rumours and News forum of www.pprune.org about two weeks ago
- including detailed consideration of the consequences of failure of each of
the three hydraulic systems or combinations of them.  The original newspaper
report is stronger on passenger reports than on hard facts.  The
professionals did manage to worm out that the crew probably managed to bring
one of the "failed" systems back into use before landing (it isn't clear on
the limited information available if a second system had actually failed or
just overheated as a consequence of the first one's failure). Professional
opinion also included the possibility that the passenger nausea was only to
be expected in flying a tight holding pattern over hot dessert for three
hours, perhaps with yaw stabilisers off-line due to the failure.

It's an interesting story and no doubt, since it is in civil aviation and in
the USa, we will one day read a full and accurate account/diagnosis of what
happened - unlike in most IT disasters - but I've learned over a year or so
of consulting PPrune that media accounts like this need to be taken with a
pinch of salt - or reviewed by professionals - I'm sure Martin Thomas would
agree!

Roger Hird <rl.hird@orpheusmail.co.uk> http://roger.hird.orpheusweb.co.uk


Re: RBS computer failure condemns man ... (Goldberg, RISKS-26.91)

Martin Ward <martin@gkc.org.uk>
Thu, 12 Jul 2012 11:10:57 +0100

Things do indeed go wrong in technology: and this is why it is *essential*
to have systems in place to mitigate such failures.

The RBS fiasco is a result of two independent, and utterly inexcusable,
failings by RBS management *in addition to* the original failure:

(1) No means to backtrack an update and restore the system to its original
state. It is essential before undertaking any update to a critical system
that there should be a means to quickly restore the system, in case of
unexpected problems.  Not having such a restore function is an inexcusable
failure on the part of RBS management.

(2) No disaster recovery in place. OK, so your update has rendered a
critical system inoperable and you stupidly forgot to implement a system to
restore it. There are many potential disasters which can render critical
systems inoperable: so disaster recovery systems are essential.  Not having
a working disaster recovery system is an inexcusable failure on the part of
RBS management.

Note that customers will be reimbursed for the cost of fines and fees:
i.e. the bank will graciously waive the fees *they* would have charged for
problems *they* have caused, but they are refusing to pay any compensation
for the problems they have caused.  So there is no incentive for the bank to
spend any money on system restore features or disaster recovery in the
future.  So we can expect similar failures to occur again.

STRL Reader in Software Engineering and Royal Society Industry Fellow
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/


Re: RBS computer failure condemns man ... (Goldberg, RISKS-26.91)

<"Chris D." <e767pmk@yahoo.co.uk>S>
Thu, 12 Jul 2012 22:01:35 +0100

As mentioned, UK media have had little technical detail but a tsumani of
finger-pointing and pontification (accidents don't happen by accident
nowadays, someone always has to be blamed and punished!), though one report
commented that historically, British bank branches only opened 9am-3pm
Monday-Friday, thus giving plenty of time overnight for processing each
day's transactions, and whole weekends for software updates.  Nowadays bank
branches are open during normal retail store hours and many customers handle
their accounts on-line, so banking runs 24/7, hence any hold-up quickly
creates a huge backlog of data to be processed.


Re: UK considers broad Web site blocking by default (RISKS-26.91)

"Chris D." <e767pmk@yahoo.co.uk>
Thu, 12 Jul 2012 22:01:35 +0100

Comment from a Brit: and if you have the block in place but attempt to
access barred sites, is this also recorded?  What nobody's really explained
is how 'unsuitable' web sites are to be identified and blocked; people talk
as if ISP sysadmins just have to uncheck the box marked "allow pornography"
and we're safe...  I haven't actually done any research here (!), but
presumably 'unsuitable' (who decides?) web sites don't always have
distinguishing features, so blocking would have to work on a similar basis
to spam e-mail filters (e.g. Bayesian), with the same hit-and-miss success
rates.  The large telecomms company where I used to work had a commercial
web filter facility which was laughable in its effectiveness (though in this
case it was probably intended more to avoid embarrassing "Employees Download
Porn With Company Computers" headlines than protect workers' sensitivities),
but each filter 'hit' warning screen had a reminder that the attempt was
recorded for possible disciplinary action.  (Allegedly in the early days it
only used URLs so could be circumvented with the IP address of a banned
site.)

Incidentally, a woman columnist in the newspaper described her concern at
discovering that her husband spent much time on the website
http://modelingmadness.com/, which turned out to be about his hobby of scale
models of World War 2 fighter aircraft, rather than glamorous women...


Re: Taxing old browsers out of existence (RISKS-26.90)

Jonathan Kamens <jik@kamens.us>
Fri, 29 Jun 2012 04:56:34 -0400

Mark Thorson is "disturbed" by a retailer charging an extra fee for users
who make purchases using IE7. I am more sanguine.

* From an economic point of view, the continued use by many people of
extremely old browsers is a bane on the existence of web developers. It
costs companies real money in terms of increased development, QA and
maintenance time on their web applications.

* From a progress point of view, the resources spent supporting old, buggy
browsers lacking many of the features of modern ones could otherwise have
been spent progressing application technology in useful ways, and thus the
continued existence of very old browsers in the user space hampers forward
progress.

* From a security point of view, while it's true that new vulnerabilities
are being identified and patched in modern browsers every day, there are
surely also many vulnerabilities in the old, obsolete browsers, and those
_aren't_ being patched. Thus, it seems to me that their users are overall
more vulnerable to threats than users of modern browsers. (On the other
hand, this is merely my personal theory / impression; I concede that one
could just as easily argue that attackers don't bother as much to go after
really old browsers, and many newly exploited vulnerabilities are in
technologies that don't exist in old browsers.)

The small-l-libertarian and free-market-capitalist in me says that if this
particular retailer has decided that the "IE7 fee" makes economic sense for
them, they're perfectly within their rights to impose it, and their
customers are perfectly within their rights to shop elsewhere if they don't
approve.


Announcement of civil timekeeping meeting

Rob Seaman <seaman@noao.edu>
Tue, 10 Jul 2012 11:44:37 -0700

"Requirements for UTC and Civil Timekeeping on Earth"
A Colloquium Addressing a Continuous Time Standard
to be held at the University of Virginia, Charlottesville, VA
May 29-31, 2013, http://futureofutc.org

This is a successor to the meeting "Decoupling Civil Timekeeping from Earth
Rotation" held in October 2011, with proceedings available from the American
Astronautical Society (http://www.univelt.com/book=3D3042).

In January 2012, a proposal to redefine Coordinated Universal Time (UTC)=
without leap seconds was discussed at the Radiocommunication Assembly of the
International Telecommunication Union (http://youtu.be/C-2UqYW9SEs).
Decision was postponed to the 2015 RA pending study of the issue.  This
meeting will explore the underlying engineering requirements for civil
timekeeping.

Meanwhile the leap second at the end of June 2012 triggered bugs in the
Linux kernel:
http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html
While it may not have lived up to the hyperbole ("leap second crashes half
the Internet" - not the half I was using at the time, and no reported issues
from my organization) this points up risks on one side of the issue.  These
risks would have been mitigated by more extensive testing of kernel updates,
and by installing the updates that were tested.  Google had a completely
different framework for handling the issue:
http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html
It will be interesting to see what lessons were learned for future leap
seconds.

However, redefining UTC would also present risks:
http://www.cacr.caltech.edu/futureofutc/2011/preprints/01_AAS_11-660.pdf

We welcome abstracts from diverse communities, with the goal of clarifying
the nature of the problem space before entertaining solutions.

Rob Seaman, National Optical Astronomy Observatory http://futureofutc.org

Please report problems with the web pages to the maintainer

Top