The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 01

Thursday 30 August 2012


United Airlines Network Outage
Jonathan B Spira
Observation Deck: What Happens When Cars Start Talking to Each Other?
Gabe Goldberg
The Cadillac Your Livery Driver Has Been Dreaming Of
John Pearley Huffman via Monty Solomon
Study says drivers, not cellphones, pose the accident risk
Hiawatha Bray via Monty Solomon
New malware infects VMware VMs
Bob DeSilets
Shared private key can apparently compromise RuggedComSCADA gear
Digital Bond via NNSquad
"How to Secure Data by Addressing the Human Element"
Thor Olavsrud via Gene Wirchenko
"Your car, tracked: the rapid rise of license plate readers"
Cyrus Farivar via Monty Solomon
Data so secure even you can't read it
Ben Moore
I've Got That Syncing Feeling
Craig Forman via Monty Solomon
How to Hack your own Hotmail account
Jeremy Ardley
Don't download that app: US presidential candidates will STALK you with it
John Leyden via Monty Solomon
"Buying Their Way to Twitter Fame"
Austin Considine via Lauren Weinstein
"Twitter's fake followers: Influence for sale"
Bill Snyder via Gene Wirchenko
5 Design Tricks Facebook Uses To Affect Your Privacy Decisions
Lauren Weinstein
Doug Jones: guest editorial on voter registration
Re: "How to avoid an Elections-Ontario-style data-breach fiasco"
Gene Wirchenko
Spyware Matching FinFisher Can Take Over IPhone and BlackBerry
Dave Farber
John Fricker
Re: Knight Capital software upgrade costs $440m
Amos Shapir
Re: NYPD unveils new $40 million super computer system
Raj Mathur
Re: Announcement of civil timekeeping meeting
Info on RISKS (comp.risks)

United Airlines Network Outage (via Dave Farber's IP)

"Jonathan B Spira" <>
Tue, 28 Aug, 2012 9:01 PM
  [United Airlines' SHARES passenger reservation system had a two-hour
  system-wide outage on 28 Aug 2012 that affected United's website, flight
  check-in, and boarding, and also caused ground-stops at UAL hubs in
  Houston, Newark, and SFO.  SHARES (the former Continental system) has had
  various troubles since it was adopted by UAL after the merger.  PGN]

Among other interesting tidbits, United was handing out hand-written
boarding passes today (dozens of pictures of these posted on Twitter).

More details on the outage here plus picture of boarding pass: *United
Airlines Network Outage Snarls Air Traffic*

  [An earlier item noted by Dave Farber: United reservation system crashes,
    FAA issues ground stop.  PGN]

Observation Deck: What Happens When Cars Start Talking to Each Other?

Gabe Goldberg <>
Mon, 27 Aug 2012 20:56:58 -0400
What could go wrong? I mean, aside from flocks of birds and schools of fish
having had millions of years to evolve compatibly, and there being
Windows/iOS/Android cars trying to collaborate seamlessly in real time.
Plus people having rooted their cars...

  [See the article by Adam Rogers:]

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042  (703) 204-0433

The Cadillac Your Livery Driver Has Been Dreaming Of (John Pearley Huffman)

Monty Solomon <>
Fri, 24 Aug 2012 22:49:53 -0500
... What replaces many of those buttons is Cadillac's intuitive new CUE
system, which uses a large touch screen at the center of the dashboard;
think of it as an embedded iPad.  Using Apple-style gestures and swipes, the
driver can scroll through various apps until finding the right one for a
particular task. Those tasks include navigation, sound system and Bluetooth
phone controls.  Throw in some voice controls and the CUE interface sets a
new standard for ease of use.  Also replacing some switches are
touch-sensitive strips that control the ventilation system while continuing
the design theme. This effectively and elegantly extends the use of
gesture-based controls beyond the touch screen. ...

  [Source: John Pearley Huffman, *The New York Times*, 26 Aug 2012]

Study says drivers, not cellphones, pose the accident risk (Hiawatha Bray)

Monty Solomon <>
Mon, 27 Aug 2012 22:21:16 -0500
Hiawatha Bray, *The Boston Globe*, 27 Aug 2012,
Cellphones' role in crashes doubted

Don't blame the technology.

For those who argue that a ban on cellphone use while driving will make
highways safer, there's bad news: People who chat behind the wheel often
drive more aggressively even after they hang up, according to a study from
the Massachusetts Institute of Technology,

"The people who are more willing to frequently engage in cellphone use are
higher-risk drivers, independent of the phone," said Bryan Reimer, associate
director of MIT's New England University Transportation Center. "It's not
just a subtle difference with those willing to pick up the phone. This is a
big difference."

Reimer and a team of MIT researchers studied the behavior of 108 Greater
Boston drivers. About half acknowledged frequent phone use when driving; the
rest said they rarely used their phones behind the wheel. ...

New malware infects VMware VMs (ZDNet via Dave Farber's IP)

"Bob DeSilets" <>
Aug 28, 2012 11:52 AM

Just when you though you were safe running a VM:

The Windows version of a piece of Malware discovered in July, called Crisis,
has been found to be capable of infecting VMware virtual machines as well as
Windows Mobile devices, and removable USB drives.  When originally
discovered Crisis was thought to target just Windows and Mac OS users.  It
has the capability to record Skype conversations, capture traffic from
instant messaging programs, and track websites visited in Firefox or
Safari. According to Symantec, Crisis "searches for a VMware virtual machine
image on the compromised computer and, if it finds an image, it mounts the
image and then copies itself onto the image by using a VMware Player
tool. This may be the first malware that attempts to spread on to a virtual
machine."   [ZDnet, 22 Aug 2012]

Bob DeSilets, Information Security Officer, Perelman School of Medicine
University of Pennsylvania (215)746-5578

Shared private key can apparently compromise RuggedCom SCADA gear

Lauren Weinstein <>
Wed, 22 Aug 2012 13:13:13 -0700 (Digital Bond via NNSquad)

  "Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom
  devices yesterday.  This time, Justin took a different track with the
  device firmware and showed that all products use the same SSL private key,
  hard-coded in the firmware.  This is fairly typical in cheap
  consumer-grade embedded products, and has the unfortunate effect that easy
  Man-In-The-Middle attacks can be performed against products.  For example,
  any compromised host on the switch management network can be used to spoof
  affected RuggedCom switches, meaning that the bad guy or gal could capture
  legitimate usernames and passwords for the switch."

  [This item is all over the Web, including slashdot.  But check out the website. with Dale Peterson and others.  It is loaded with
  RISKS-related goodies.  PGN]

"How to Secure Data by Addressing the Human Element" (Thor Olavsrud)

Gene Wirchenko <>
Tue, 21 Aug 2012 15:21:38 -0700
  A double-hitter here.  (Two Risks in One!)

Thor Olavsrud,, 15 Aug 2012

Your sensitive data is only as secure as the weakest link in your
organization, and in many cases the weak link is your employees. A properly
established security awareness and training program can pay huge dividends.

1. The article reports on a DEFCON 18 contest to do human engineering.
   Standard RISKS stuff.

2. At one point is this interesting paragraph:

"We find surprisingly little variation in guessing difficulty; every
identifiable group of users generated a comparably weak password
distribution," Bonneau writes. "Security motivations such as the
registration of a payment card have no greater impact than demographic
factors such as age and nationality. Even proactive efforts to nudge users
towards better password choices with graphical feedback make little
difference. More surprisingly, even seemingly distant language communities
choose the same weak passwords and an attacker never gains more than a
factor of 2 efficiency gain by switching from the globally optimal
dictionary to a population-specific lists."

"Your car, tracked: the rapid rise of license plate readers" (Cyrus Farivar)

Monty Solomon <>
Mon, 20 Aug 2012 09:56:41 -0400
Cyrus Farivar, Ars Technica, Aug 15 2012
Largely unregulated, cameras now collect millions of travel records every day.

Tiburon, a small but wealthy town just northeast of the Golden Gate Bridge,
has an unusual distinction: it was one of the first towns in the country to
mount automated license plate readers (LPRs) at its city borders-the only
two roads going in and out of town. Effectively, that means the cops are
keeping an eye on every car coming and going.

A contentious plan? Not in Tiburon, where the city council approved the
cameras unanimously back in November 2009.

The scanners can read 60 license plates per second, then match observed
plates against a "hot list" of wanted vehicles, stolen cars, or criminal
suspects. LPRs have increasingly become a mainstay of law enforcement
nationwide; many agencies tout them as a highly effective "force multiplier"
for catching bad guys, most notably burglars, car thieves, child molesters,
kidnappers, terrorists, and-potentially-undocumented immigrants.

Today, tens of thousands of LPRs are being used by law enforcement agencies
all over the country-practically every week, local media around the country
report on some LPR expansion. But the system's unchecked and largely
unmonitored use raises significant privacy concerns. License plates, dates,
times, and locations of all cars seen are kept in law enforcement databases
for months or even years at a time. In the worst case, the New York State
Police keeps all of its LPR data indefinitely. No universal standard governs
how long data can or should be retained.

Not surprisingly, the expanded use of LPRs has drawn the ire of privacy
watchdogs. In late July 2012, the American Civil Liberties Union and its
affiliates sent requests to local police departments and state agencies
across 38 states to request information on how LPRs are used. ...

Data so secure even you can't read it

"Ben Moore" <>
Fri, 24 Aug 2012 15:52:34 GMT
Victorinox is allowing its security program's VeriSign certificate to lapse
on September 15th. Without this certificate the contents of the secure
partition can't be decrypted..

"Swiss army knife maker Victorinox has decided to take the sting out of
ditching support for the security software in its range of USB-knife drives by offering customers a full refund.

I"n a message posted to Facebook but not apparently anywhere else, the
company said customers unhappy with the ending of the security features on
the company's combined penknife/flash memory drives could send them back
for a refund.

"The company announced the end of support for the security features a few
days ago in an ambiguous Facebook post that failed to clarify that all of
the drive's security features - including an encrypted partition,
biometric authentication and secure password management - would cease

"However, the seriousness of the issues was underlined by the company
setting 15 September as the date by which customers must back up all data on
the encrypted section of the drives."

I've Got That Syncing Feeling (Craig Forman)

Monty Solomon <>
Tue, 28 Aug 2012 13:02:15 -0400
Your devices are eager to make all your content line up nicely.  Sometimes
the results are not so nice.

Craig Forman, *Wall Street Journal*, 26 Aug 2012

The trouble started when I innocently downloaded a free IKEA catalog app to
my iPad. The trouble nearly ended with a $1,200 charge from AT&T.

I was traveling in Europe for a short family trip. Before leaving the U.S.,
I downloaded the image-heavy catalog using a standard broadband connection.
Aware of the costs of digital Internet access while abroad, my wife, son and
I thought we had taken all the correct precautions.

Were location-based services off? Check. Notifications off? Check.
All three iPhones switched to Wi-Fi only? Check, check and check.

So the midnight e-mail from AT&T came as a surprise: "Unusually high volumes
of data. 750 megabytes downloaded. Please check your phone."  I checked my
phone-but all potential digital gotchas had been put to rest. We were jet
lagged and exhausted. Surely a couple hours' sleep couldn't put us in
digital harm's way?

But in these modern days of anytime, anywhere, cloud-based synchronization,
those few hours of shut-eye were plenty costly. I awoke to a buzzing of my
phone, an SMS and an e-mail from AT&T: The data download had nearly doubled
while I was sleeping. My account was in imminent danger of being shut off
unless I called them. ...

How to Hack your own Hotmail account

Jeremy Ardley <>
Mon, 27 Aug 2012 13:37:10 +0800

(Watch in HD full-screen to see text)

Is a video of how to change the text and headers of an e-mail in your own
Hotmail account.

It is perfectly legal and is acknowledged by Microsoft as a design feature
of their Windows Live Hotmail client.

Up until this was described by myself, Richard Boddington, and Grant Boxall,
it was assumed that Hotmail e-mails could not be altered. As such they have
been used as evidence in court cases.

Our paper is available to Subscribers of the Journal of Digital Forensics,
Security and Law

The technique we show can tracelessly alter any part of an e-mail including
all headers. It is possible for instance to create a fictitious e-mail sent
at some date in the past and with wording as desired.

Examples of this could be forging an e-mail admitting liability or offering
to pay money. The list is endless.

The 'hack' works because Microsoft introduced a new protocol called
DeltaSync that enables Windows Live clients to synchronize e-mails across
machines via Hotmail.

Altering a local copy of an e-mail on a client and then syncing will
cause that copy to overwrite the Hotmail copy and as well overwrite
copies on other clients.

Using this technique you can also add payloads to an e-mail - e.g. some
malware and have it automatically delivered to a target machine. As an
example in ingenious felon could break into some-ones house and insert
malware into an e-mail and by syncing the package could then get onto a
synced work computer bypassing any mail scanning system.

We looking are at similar schemes with e-mail syncing via web-server—e.g.,

Don't download that app: US presidential candidates will STALK you with it (John Leyden)

Monty Solomon <>
Tue, 21 Aug 2012 09:06:48 -0400
John Leyden, *The Register*, 20 Aug 2012
Romney mobile application even requests permission to record audio ...

Security researchers have uncovered privacy shortcomings in the mobile
applications offered by both the Barack Obama and Mitt Romney presidential
campaigns.  The campaign teams of the incumbent US President and his
Republican challenger have each released apps for both iOS and Android, in
good time for the election on November 6.

Experts at GFI Software looked at the Android versions of both apps,
discovering both to be surprisingly invasive.  Obama for America and Mitt's
VP request permissions, access to services and data, and capabilities beyond
their core mandate.  For example, each of the apps features the ability to
cross-post on users' behalf and report back to base. One app even has a tool
to encourage users to go canvassing on behalf of the candidate, which in
GFI's test directed Obama supporters to an unsafe part of a US town - just
north of downtown Clearwater, Florida.

Both Android apps slurp the details of users' contacts and log location
data, as a rundown by GFI on both apps and the permissions they seek
explains. The Romney app even requests permission to record audio for
unspecified (and so-far unactivated) purposes. ...

"Buying Their Way to Twitter Fame" (Austin Considine)

Lauren Weinstein <>
Thu, 23 Aug 2012 20:55:52 -0700
Source: Austin Considine, *The New York Times*, 23 Aug 2012, via NNSquad

  "It may be the worst-kept secret in the Twittersphere. That friend who
  brags about having 1,000, even 100,000 Twitter followers may not have
  earned them through hard work and social networking; he may have simply
  bought them on the black market.  And it's not just ego-driven blogger
  types. Celebrities, politicians, start-ups, aspiring rock stars, reality
  show hopefuls - anyone who might benefit from having a larger social media
  footprint - are known to have bought large blocks of Twitter followers."

"Twitter's fake followers: Influence for sale" (Bill Snyder)

Gene Wirchenko <>
Thu, 30 Aug 2012 09:39:33 -0700
Bill Snyder, *InfoWorld*, 30 Aug 2012
From Lady Gaga to Obama, paid tweets and inflated followings game
  online reputations and call the whole system into question

selected text:

Organizations are in fact buying fake followers, including both major
candidates for the White House, numerous other politicians, and scads of
celebrities. Republican presidential nominee Mitt Romney, for example, had
673,002 followers on July 20. One day later, that number soared by 17
percent, or 117,000 new followers. On the other side of the partisan divide,
President Barack Obama's campaign boasts that he has nearly 19 million
followers. However, an analysis by StatusPeople, a social media management
company based in London, shows that only 30 percent of them actually exist
or have active accounts. To be fair, it's possible that spam bots are
creating at least some of the fake accounts.

The implications are serious: Twitter has changed how politics is reported
in the United States and has been a weapon used by pro-democracy advocates
in countries like Egypt and Iran. It's also a tool used by businesses to
stay in touch with customers. To its credit, Twitter has tried to stop the
spread of fake accounts and the like, but cheaters and petty profiteers are
still eroding its value as a communications tool.  Sincerely,

5 Design Tricks Facebook Uses To Affect Your Privacy Decisions

Lauren Weinstein <>
Sun, 26 Aug 2012 15:04:25 -0700  (Techcrunch via NNSquad)

  "In fact, Facebook keeps "improving" their design so that more of us will
  add apps on Facebook without realizing we're granting those apps (and
  their creators) access to our personal information."

Doug Jones: guest editorial on voter registration

"Peter G. Neumann" <>
Fri, 24 Aug 2012 10:17:10 PDT
  Doug Jones, a long-time observer of elections, has written an excellent
  guest editorial in the Iowa Press-Citizen on risks of using databases to
  disqualify voters.  As this is a problem that is increasingly prevalent,
  it seems worth noting here.  PGN

Re: "How to avoid an Elections-Ontario-style data-breach fiasco" (RISKS-26.94)

Gene Wirchenko <>
Tue, 21 Aug 2012 15:04:00 -0700
You thought that the Elections Ontario submission was a winner?  I got this
from a reader:

> Woah! The staff thought that encryption meant zipping it up. LOL. Utterly
> amazing. No wonder there is very little effort needed to crash e-mail
> accounts and FTP server accounts. :) Most people don't understand even
> the basics. Amazing.

   Unfortunately, winning means losing here.

Spyware Matching FinFisher Can Take Over IPhone and BlackBerry

Dave Farber <>
Wed, 29 Aug 2012 12:29:58 -0400
  [Via Dave Farber's IP distribution.  PGN]

FinFisher spyware made by U.K.-based Gamma Group can take control of a range
of mobile devices, including Apple Inc.'s iPhone and Research in Motion Ltd.
(RIM)'s BlackBerry, an analysis of presumed samples of the software shows.

Systems that can be targeted include Microsoft Corp.'s Windows Mobile, the
Apple iPhone's iOS, BlackBerry and Google Inc.'s Android, according to the
company's literature.  The program can secretly turn on a device's
microphone, track its location and monitor e-mails, text messages and voice
calls, according to the findings, being published today by the University of
Toronto Munk School of Global Affairs' Citizen Lab.  Researchers used newly
discovered malicious software samples to further pull back the curtain on
the elusive cyberweapon. ...

Re: Spyware Matching FinFisher Can Take Over IPhone and BlackBerry

"John Fricker" <>
Aug 29, 2012 1:17 PM
  [Re: via Dave Farber's IP]

Interesting but wrong when it comes to iOS and the iPhone and iPad.

"A mobile device's user can become infected by being tricked into going to
a Web link and downloading the malware, which can be disguised as something
other than FinSpy.

As Gamma's promotional video illustrates, the process can be as simple as
sending someone a text message with a link that looks like it comes from
the phone maker, and asking the user to “please install this system
update,'' Marquis-Boire says."

It's impossible to install software on iOS in this manner. The May 2012
white paper from Apple ( explains
why (see Execute Never).

Re: Knight Capital software upgrade costs $440m

Amos Shapir <>
Wed, 22 Aug 2012 17:33:11 +0300
This gives new meaning to the term "Fly by Knight"...

Seriously, as others had already pointed out, the problem is not a software
bug, but the fact that the trading system had accepted the bad data as
genuine.  The problem is, the system has no sanity checks; but as long as
money can be made by insane actions (whether intended or not), I'm afraid
that insanity will stay as an inherent part of the system.

Re: NYPD unveils new $40 million super computer system (RISKS 26.98)

"Raj Mathur <>
Tue, 21 Aug 2012 10:30:21 +0530
Am I the only one who sees the RISKS attendant on this partnership and a
off-the-shelf crime prevention and investigation system?  [UNLIKELY!  PGN]
Off the top of my head (and based on the minimal information available in
the article):

* Expectation of sales will certainly dilute the quality and effectiveness
  of the product for the original client.  Instead of being made purely on
  the merits of functionality and usefulness for NYPD, decisions on features
  and fixes will instead be vetted through a commercial viability test.  The
  product is likely to end up as bloatware, losing all contact with the
  needs of the force on the ground in the process.

* Presumably this product is not Free/Open Source Software.  Unless there's
  an existing understanding that clients (other than NYPD) will have access
  to the source code, with permission to modify for their own requirements,
  popularity of the product would result in straitjacketing of procedures at
  other police forces.  What suits NYPD may not be right for New Delhi or
  Rome.  Heck, it may not even be right for Des Moines.  Easy availability
  of such a package would promote processes and documentation that works for
  the NYPD, at the cost of local innovation and locally appropriate

  Unless the original design and development has been done with full
  customisability as one of the primary criteria (an expensive,
  time-consuming and ultimately still limited process), we are more likely
  to see police forces adapting to the system rather than the other way

* If the product becomes even reasonably popular, vulnerabilities and
  exploits will eventually be available in the wild to permit criminals to
  game—or worse, misuse—the system.

* [Rant] Is there any reason at all for a police force to become a
  commercially viable entity?  In my opinion, crime prevention and law
  enforcement on the one hand and economic viability on the other are
  completely separate objectives, and mixing the two is unlikely to result
  in any benefit to the first.

Raj Mathur

Re: Announcement of civil timekeeping meeting (RISKS-26.92,93,98)

mathew <>
Thu, 23 Aug 2012 09:42:11 -0500
The Science Time idea is good, but I have a much simpler suggestion.

Keep UTC exactly as it is for civil timekeeping. And the people who don't
like leap seconds or find them hard to deal with can switch to TAI, which
already exists. Need a cheap local source of TAI? Get a GPS. And start
setting up an NTP network of TAI timeservers—anyone doing this yet?

The people who don't want leap seconds in their timescale can stop having
them today. There's nothing much standing in their way, except perhaps lack
of a good way to indicate TAI in Internet timestamps. But instead, the
proposal is to abolish UTC.  I use the word 'abolish' because the whole
point of UTC is that it's kept in sync with astronomical time via leap
second adjustments; if you get rid of the leap seconds, you just have TAI
with a fixed offset.

So the calls to abolish UTC are really about tricking people into switching
to TAI for civil timekeeping without knowing they're doing it. That way we
don't have to get governments involved and have a democratic discussion,

If the proposal was to switch to TAI for system clocks and then apply
appropriate translation to civil time for display, I'd support it.

Please report problems with the web pages to the maintainer