The RISKS Digest
Volume 27 Issue 23

Saturday, 30th March 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


IRS: Tax glitch affects about 660K returns
Heather Hollingsworth via Monty Solomon
Panama Canal Railway hit after upgrade
Bob Heuman
Online Dispute Becomes Internet-Snarling Attack
Markoff/Perlroth via Monty Solomon
More on Spamhaus et al.
sender anonymized by request
More cyberscares from our governments
Lauren Weinstein
SSL, RC4, and Site Administrators
Steve Bellovin
Microwave oven interference robustness mode
Saudi Arabia 'threatens Skype ban'
Lauren Weinstein
FBI wants real-time access to ... well ... pretty much everything
NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects
Big Data and a Renewed Debate Over Privacy
Steve Lohr via Monty Solomon
Database Is Shut Down by NASA for a Review
Mark Mazzetti via Monty Solomon
"12 hard truths about cloud computing"
Peter Wayner via Gene Wirchenko
"One in six Amazon S3 storage buckets are ripe for data-plundering"
Ted Samson via Gene Wirchenko
Some digital cameras easily turned into spying devices
Lauren Weinstein
Google offers *offline* language translation support for Android
Risks of using other people's libraries
Phil Nasadowski
25,000 could be affected by data breach at Salem State University
Monty Solomon
"Twitter-shaming can cost you your job"
Ted Samson via Gene Wirchenko
"Cisco inadvertently weakens password encryption in IOS
Lucian Constantin via Gene Wirchenko
Password must contain multiple character classes...
"Microsoft Employee Info Being Hacked Through Xbox Live"
Chris Paoli via Gene Wirchenko
"Updated Windows 8 apps not in sync with Google Calendar"
Woody Leonhard via Gene Wirchenko
Re: Small furry animals ...
Info on RISKS (comp.risks)

IRS: Tax glitch affects about 660K returns (Heather Hollingsworth)

Monty Solomon <>
Mon, 25 Mar 2013 01:03:46 -0400
Heather Hollingsworth, AP, 13 Mar 2013

KANSAS CITY, Mo. (AP) - A tax-preparation glitch affecting about 660,000 tax
returns will delay refunds by as long as six weeks, with customers of the
nation's largest tax preparer among those affected.

The Internal Revenue Service said in a statement that a problem with a
''limited number of software company products'' affected some taxpayers
filing a form used to claim educational credits between 14 and 22 Feb 2013.

The agency didn't name any companies in the statement, which it released
Tuesday, but Kansas City-based H&R Block has been informing customers about
problems. H&R Block spokesman Gene King said Wednesday that the company
isn't saying how many of its customers were affected by the problems with
Form 8863. ...

Panama Canal Railway hit after upgrade

Bob Heuman <>
Sat, 23 Mar 2013 19:38:20 -0400
Reuters, 22 Mar 2013

Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday.  The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway.  But a computer upgrade on 20 Mar 2013 by Panama
Ports Co (which manages two of those ports) caused severe lags, Kenna said.
Since then, the railway has moved only about 350 containers a day.  Traffic
picked up on Friday, and the system should be operating normally by Monday,
Kenna added.

Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth)

Monty Solomon <>
Wed, 27 Mar 2013 14:01:57 -0400
John Markoff and Nicole Perlroth, *The New York Times*, 26 Mar 2013
Firm Is Accused of Sending Spam, and Fight Jams Internet

A squabble between a group fighting spam and a Dutch company that hosts Web
sites said to be sending spam has escalated into one of the largest computer
attacks on the Internet, causing widespread congestion and jamming crucial
infrastructure around the world.

Millions of ordinary Internet users have experienced delays in services like
Netflix or could not reach a particular Web site for a short time.
However, for the Internet engineers who run the global network the problem
is more worrisome. The attacks are becoming increasingly powerful, and
computer security experts worry that if they continue to escalate people may
not be able to reach basic Internet services, like e-mail and online

The dispute started when the spam-fighting group, called Spamhaus, added the
Dutch company Cyberbunker to its blacklist, which is used by e-mail
providers to weed out spam. Cyberbunker, named for its headquarters, a
five-story former NATO bunker, offers hosting services to any Web site
"except child porn and anything related to terrorism," according to its Web

A spokesman for Spamhaus, which is based in Europe, said the attacks began
on March 19, but had not stopped the group from distributing its blacklist.

Patrick Gilmore, chief architect at Akamai Networks, a digital content
provider, said Spamhaus's role was to generate a list of Internet spammers.
Of Cyberbunker, he added: "These guys are just mad. To be frank, they got
caught. They think they should be allowed to spam." ...

More on Spamhaus et al. (Another sender, anonymized by request)

Lauren Weinstein <>
Wed, 27 Mar 2013 09:48:41 -0700
[I don't like sending out anonymized messages, but it appears that many
legit users are simply terrified of upsetting Spamhaus.  Via NNSquad.

  Date: Wed, 27 Mar 2013 NN:09:11 -NNNN
  From: []
  Subject: More on Spamhaus et al. [Another sender anonymized by request]

  On 27 Mar, [] wrote:

  Spamhaus has selected some of my IP addresses now and then for lock down
  as well—even though they never demonstrated any proof of any sort that
  there was any good reason. Indeed there was none. Then I found out that
  they false positive list about 90,000 IPs a day—according to them.  And
  I found out what it takes to get removed—which is excessive for the
  fact that they are acting without basis and from a location where class
  action suits are not going to work. They won't even reveal their real

  In any case, vigilante injustice is not what the Internet needs.

More cyberscares from our governments

Lauren Weinstein <>
Thu, 28 Mar 2013 19:38:03 -0700
"Cyberattacks Seem Meant to Destroy, Not Just Disrupt"  (New York Times)

  Mr. Obama's goal was to erode the business community's intense opposition
  to federal legislation that would give the government oversight of how
  companies protect "critical infrastructure," like banking systems and
  energy and cellphone networks. That opposition killed a bill last year,
  prompting Mr. Obama to sign an executive order promoting increased
  information-sharing with businesses.  "But I think we heard a new tone at
  this latest meeting," an Obama aide said later. "Six months of unrelenting
  attacks have changed some views."

In a word regarding this entire article: bull.  My bet is that most of this
stuff is coming from the functional equivalent of pimple-faced kids in their
parents' basements in Cleveland.  Hell, sad to say, I wouldn't be all that
surprised if our own governments are behind many of the attacks on our own
companies.  This is all about our own governments wanting to scare the hell
out of us so that we'll let them and their cyberscare-industrial complex
buddies get more and more powerful, richer and richer, and won't complain as
they tap our networks just like they've wanted to do pretty much all along.
And we're falling for it, boys and girls.

SSL, RC4, and Site Administrators

Federal Trade Commission <>
Fri, Mar 29, 2013 at 3:38 PM
  [image: Tech@FTC Banner] <>

Steve Bellovin
SSL, RC4, and Site Administrators

There's been yet another report of security problems with SSL.

If you run a website or mail server, you may be wondering what to do about
it.  For now, the answer is simple: nothing—and don't worry about it.

First of all, at the moment there's nothing to do.  You can't invent your
own cryptographic protocol; no one else would have a compatible browser.
Besides, they're notoriously hard to get right.  In the very first paper on
the topic, Roger Needham and Michael Schroeder wrote “Finally, protocols
such as those developed here are prone to extremely subtle errors that are
unlikely to be detected in normal operation. The need for techniques to
verify the correctness of such protocols is great, and we encourage those
interested in such problems to consider this area.''  Why do you think your
design will be better than one that has been scrutinized for more than 15

Some of the trouble in this latest breach is due to weaknesses in the RC4
cipher algorithm.  No one who works in cryptography was surprised by this
report; it's been showing cracks since at least 1997.  What's new is that
someone has managed to turn the weaknesses into a real exploit, albeit one
that needs at least 224 and preferably 230 encryptions of the same plaintext
to work.  (By the way, this is why cryptographers are so concerned about
minor weaknesses: as Bruce Schneier is fond of noting, attacks always get
better, they never get worse.)  Besides, ciphers are even harder to get
right than protocols are.  <>

The real reason not to worry, though, is that unless you're being targeted
by a major intelligence agency, this sort of cryptanalytic attack is *very*
far down on the risk scale.  Virtually all attackers will look for unpatched
holes, injection or cross-site scripting attacks, people who will fall for
spear-phishing attacks, etc., long before they'll try something like this.
The common attacks are a lot easier to launch; besides, the attackers
understand them and know how to use them.

In the long run, RC4 has to be phased out.  I certainly wouldn't start any
new designs that depended on RC4's characteristics or performance, but there
are plenty of other algorithm possibilities today.  Vendors do need to ship
web browsers and servers that support newer versions of SSL (formally known
as TLS); weaknesses at the protocol level can't always be fixed by patching
code.  For now, though, stay up to date with your patches and software, and
practice good security hygiene.  (And if you are being targeted by a major
intelligence agency, you should talk to a major counterintelligence agency,
not me!)

Posted in Tech@FTC <>

Microwave oven interference robustness mode

Sat, 23 Mar 2013 10:30:41 +0800
The IEEE 802.11 committee that developed the Wi-Fi specification
conducted an extensive investigation into the interference potential
of microwave ovens. A typical microwave oven uses a self-oscillating
vacuum power tube called a magnetron and a high voltage power supply
with a half wave rectifier (often with voltage doubling) and no DC
filtering. This produces an RF pulse train with a duty cycle below 50%
as the tube is completely off for half of every AC mains cycle: 8.33
ms in 60 Hz countries and 10 ms in 50 Hz countries.

This property gave rise to a Wi-Fi "microwave oven interference
robustness" mode that segments larger data frames into fragments each
small enough to fit into the oven's "off" periods.

Saudi Arabia 'threatens Skype ban'

Lauren Weinstein <>
Mon, 25 Mar 2013 12:12:24 -0700 (BBC via NNSquad)

  "Encrypted messaging services such as Skype, Viber and WhatsApp could be
  blocked in Saudi Arabia, the telecommunications regulator there is
  reported to have warned.  It is demanding a means to monitor such
  applications, but Saudis say that would seriously inhibit their
  communications.  Saudi newspapers are reporting that the companies behind
  the applications have been given a week to respond."

FBI wants real-time access to ... well ... pretty much everything

Lauren Weinstein <>
Tue, 26 Mar 2013 22:27:27 -0700
"FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013"  (Slate via NNSquad)

  "Despite the pervasiveness of law enforcement surveillance of digital
  communication, the FBI still has a difficult time monitoring Gmail, Google
  Voice, and Dropbox in real time. But that may change soon, because the
  bureau says it has made gaining more powers to wiretap all forms of
  Internet conversation and cloud storage a "top priority" this year."

Actually, what they want is real-time access to pretty much everything from
everyone.  If they could force hardware manufacturers to install keyloggers,
screengrabbers, and audio/video siphons into every piece of telecom gear
manufactured, they would.  And at some point, they'll probably try.  Could
they catch more bad guys that way?  Yeah.  But they also could solve more
crimes by installing government cameras and microphones in everyone's homes
and businesses.  At some point—like now—we simply have to say that
civil liberties trump.

NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects

Lauren Weinstein <>
Mon, 25 Mar 2013 21:11:43 -0700
  "Police are searching for suspects' photos on Instagram and Facebook, then
  running them through the NYPD's new Facial Recognition Unit to put a face
  to a name, DNAinfo New York has learned.  Detectives are now breaking
  cases across the city thanks to the futuristic technology that marries mug
  shots of known criminals with pictures gleaned from social media,
  surveillance cameras and anywhere else cops can find images."  ( via NNSquad)

Remember what I say, again and again: "Public Is Public!"

Big Data and a Renewed Debate Over Privacy (Steve Lohr)

Monty Solomon <>
Mon, 25 Mar 2013 00:31:06 -0400
Big Data Is Opening Doors, but Maybe Too Many

Steve Lohr, *The New York Times*, 23 Mar 2013

In the 1960s, mainframe computers posed a significant technological
challenge to common notions of privacy. That's when the federal government
started putting tax returns into those giant machines, and consumer credit
bureaus began building databases containing the personal financial
information of millions of Americans. Many people feared that the new
computerized databanks would be put in the service of an intrusive corporate
or government Big Brother.

"It really freaked people out," says Daniel J. Weitzner, a former senior
Internet policy official in the Obama administration. "The people who cared
about privacy were every bit as worried as we are now."

Along with fueling privacy concerns, of course, the mainframes helped prompt
the growth and innovation that we have come to associate with the computer
age. Today, many experts predict that the next wave will be driven by
technologies that fly under the banner of Big Data - data including Web
pages, browsing habits, sensor signals, smartphone location trails and
genomic information, combined with clever software to make sense of it all.

Proponents of this new technology say it is allowing us to see and measure
things as never before - much as the microscope allowed scientists to
examine the mysteries of life at the cellular level.  Big Data, they say,
will open the door to making smarter decisions in every field from business
and biology to public health and energy conservation.

"This data is a new asset," says Alex Pentland, a computational social
scientist and director of the Human Dynamics Lab at the M.I.T.  "You want it
to be liquid and to be used."

But the latest leaps in data collection are raising new concern about
infringements on privacy - an issue so crucial that it could trump all
others and upset the Big Data bandwagon. Dr. Pentland is a champion of the
Big Data vision and believes the future will be a data-driven society. Yet
the surveillance possibilities of the technology, he acknowledges, could
leave George Orwell in the dust. ...

Database Is Shut Down by NASA for a Review (Mark Mazzetti)

Monty Solomon <>
Mon, 25 Mar 2013 00:34:11 -0400
Mark Mazzetti, *The New York Times*, 22 Mar 2013

WASHINGTON - NASA has shut down a large public database and is limiting
access to agency facilities by foreign citizens as part of a broader
investigation into efforts by China and other countries to get information
about important technology.

NASA announced the security procedures this week, after the F.B.I. arrested
a Chinese citizen at Dulles International Airport in Virginia who had
boarded a plane to Beijing.

The man, Bo Jiang, had been working as a contractor at NASA's Langley
Research Center in southern Virginia. According to an affidavit filed on
Monday, Mr. Jiang is being charged with making false statements to federal
agents - failing to disclose that he was carrying a laptop, hard drive and
SIM card that were discovered after a search of his belongings. ...

"12 hard truths about cloud computing" (Peter Wayner)

Gene Wirchenko <>
Mon, 25 Mar 2013 10:36:11 -0700
Peter Wayner, InfoWorld,
Performance, security, cost—here's what to really expect from the cloud

"One in six Amazon S3 storage buckets are ripe for data-plundering" (Ted Samson)

Gene Wirchenko <>
Thu, 28 Mar 2013 10:43:30 -0700
Ted Samson, InfoWorld, 27 Mar 2013
Researchers discover nearly 2,000 Amazon Simple Storage Service
buckets containing freely accessible sensitive data

Some digital cameras easily turned into spying devices

Lauren Weinstein <>
Tue, 26 Mar 2013 18:11:04 -0700  (Net-Security [+video] via NNSquad)

  "Newer cameras increasingly sport built-in Wi-Fi capabilities or allow
  users to add SD cards to achieve them in order to be able to upload and
  share photos and videos as soon as they take them.  But, as proven by
  Daniel Mende and Pascal Turbing, security researchers with German-based IT
  consulting firm ERNW, these capabilities also have security flaws that can
  be easily exploited for turning these cameras into spying devices.  Mende
  and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit
  each of the four ways it can communicate with a network. Not only have
  they been able to hijack the information sent from the camera, but have
  also managed to gain complete control of it."

Google offers *offline* language translation support for Android

Lauren Weinstein <>
Wed, 27 Mar 2013 10:55:50 -0700  (Google Translate Blog via NNSquad)

  Have you ever found yourself in a foreign country, wishing you knew how to
  say "I'm lost!" or "I'm allergic to peanuts"? The Internet and services
  like Google Translate can help-but what if you don't have a connection?
  Today we're launching offline language packages for Google Translate on
  Android (2.3 and above) with support for fifty languages, from French and
  Spanish to Chinese and Arabic.

Seriously useful and cool.

Risks of using other people's libraries

Phil Nasadowski <>
Mon, 25 Mar 2013 22:37:34 -0400
We recently ran into a situation where I work, where a vendor's (a large,
well-known, multinational company with a two letter abbreviation for it's
name) piece of software was not fully compatible with Windows 7, 64bit.  In
particular, a portion of the UI that's very, very useful for looking at
variables, is broken.

Being that the software in question was a development package for their
programmable logic controllers, and the widespread use of Windows 7 / 64 bit
in our office, a call to the vendor was in order.

The vendor replied that they were *not* going to update the package for 64
bit operating systems and there was *no* workaround.

A bit of pressing and a few nasty emails later, we got the full story:

Apparently the software uses a library developed by an outside firm.  That
firm went bankrupt and is no longer in business.  There is no copy of the
source code to the library.  The library is not 64 bit compatible.  Thus,
the vendor is forced to rewrite a portion of his software in house.  Or seek
another library.  Or something.

We are stuck with a piece of broken software for the mean time.  They say
maybe 6 months to a year to fix it.  I doubt we're alone.

I'm sure this isn't the first time this has happened.  I'm sure it won't be
the last.  It's a risk of relying on someone else's library to do something.
If they go away, you may be stuck with incompatible software.  And your
customers won't be happy about it.

Philip Nasadowski, Project Engineer, PCS Integrators

25,000 could be affected by data breach at Salem State University

Monty Solomon <>
Mon, 25 Mar 2013 00:19:47 -0400â15

"Twitter-shaming can cost you your job" (Ted Samson)

Gene Wirchenko <>
Mon, 25 Mar 2013 09:51:31 -0700
  Ah, the wonders/blunders of modern communication.

Ted Samson, InfoWorld, 21 Mar 2013
Complaint on Twitter about overheard off-color jokes ends up costing
two techies their jobs

"Cisco inadvertently weakens password encryption in IOS (Lucian Constantin)

Gene Wirchenko <>
Mon, 25 Mar 2013 10:00:24 -0700
Lucian Constantin, IDG News Service, InfoWorld, 20 Mar 2013

Cisco inadvertently weakens password encryption in its IOS operating system
The password encryption scheme used in newer Cisco IOS versions is weak,
researchers find.

Password must contain multiple character classes...

Fri, 29 Mar 2013 19:39:17 +0800
I have just encountered the most clodsworthy...
Lost Password Login

Welcome, jidanni. You may now change your password.
New password / passphrase:
(not too short, must contain multiple character classes: symbols, digits
(0-9), upper and lower case letters) (for instance: Stigma5Brass3Status)
New Password (repeat):

  1. Why am I here? Because I always forget my password.
  2. Why do I always forget my password? Because I am not allowed to use
     my much better password, but have to conform to some expert person's
     concept of what is a good password.

"Microsoft Employee Info Being Hacked Through Xbox Live"

Gene Wirchenko <>
Tue, 26 Mar 2013 10:37:42 -0700
Chris Paoli, 20 Mar 2013
And one security expert unravels the tangled web of related attacks.

"Updated Windows 8 apps not in sync with Google Calendar" (Woody Leonhard)

Gene Wirchenko <>
Wed, 27 Mar 2013 09:42:00 -0700
  Users caught in the middle:

Woody Leonhard, InfoWorld, 26 Mar 2013

Updated Windows 8 apps not in sync with Google Calendar
Microsoft's new version of the Metro 'productivity' apps Mail, Calendar,
and People refuses to sync with Google Calendar

But it is not just Microsoft:

"After you upgrade Mail, Calendar, and People (they all come together), the
first time the Metro apps try to sync with a Google Calendar, you see this

Reconnect this account / We can't connect to because
Google no longer supports ActiveSync. Reconnect to get your email and
contacts using a different method. Cancel to save your email drafts and
reconnect later."

Re: Small furry animals ... (Re: Ishikawa, RISKS-27.22)

security curmudgeon <>
Sun, 24 Mar 2013 12:29:57 -0500 (CDT)
[Ishikawa notes only] the tip of the iceberg.  While doing research for a
presentation, I focused only on squirrel-related outages of both power and
communications.  The presentation is available here:

If you start at slide 33 and click through to slide 39, you will not only
see my attempt at a humorous assertion that squirrels are a bigger threat
than 'cyberwar', but in the notes below each side is extensive details of
other incidents caused by squirrels. In some cases, I had to resort to (now
shared) Google spreadsheets because there were so many incidents.

In particular, look at the notes for Slide 34 which has one fascinating

  Squirrels caused 177 power outages in Lincoln, Nebraska, in 1980, which
  was 24% of all outages. Estimated annual costs were $23,364 for repairs,
  public relations, and lost revenue. In Omaha, in 1985, squirrels caused
  332 outages costing at least $47,144. After squirrel guards were installed
  over pole-mounted transformers in Lincoln in 1985, annual costs were
  reduced 78% to $5,148.

Another article tells us:

  In Georgia, squirrel-related outages more than tripled from 5,273 in 2005
  to 16,750 in 2006. [..] Georgia Power officials estimate the rodents cost
  them $2 million last year. [..] It appears that the problem may in part be
  due to acorns. [..] PECO, which powers Philadelphia and its surrounding
  counties, spends $1 million a year on squirrel guards to stop outages from
  "those rascally little varmints," Engel said.

Another reference in the presentation also gives us this:

  According to Level 3 Communications, Squirrel chews account for a whopping
  17% of our damages so far this year! (2011)

So, while a rat has the distinction of going after a nuclear power plant,
that little critter is just the latest in a painfully long history of such

  [In addition to the SRI item that Ishikawa noted, I have probably
  previously noted in RISKS that SRI International has experienced at least
  5 squirrelcides that brought down the entire institute's power—despite
  our having created a co-generation plant in response to the first few.  In, search for
  "squirrel" gives those and others:
  * Squirrel arcs power, downs computers in Providence RI
  * SRI attacked by kamikaze squirrel who downs uninterruptible power
  * 4th SRI squirrelcide causes 8-hour outage, surges, system rebuild
  * 5th SRI squirrelcide causes 18.5-hour institute outage
  * Another squirrelcide: San Jose Airport power cut
  * Squirrel attack brings down Walla Walla
  * Squirrel knocked out Trumbull Connecticut infrastructure computer center

Please report problems with the web pages to the maintainer