The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 10

Thurs 29 November 2012

Contents

Commentary on L'Aquila earthquake verdict
Rob Seaman
Drivers adapt to red-light cameras
Jim Reisert
Close margin in Alaska senate race prompts recount
PGN
Skunk knocks Colorado TV station off air
Monty Solomon
Cambridge to Study Technology's Risk to Humans
Sylvia Hui via ACM TechNews
U.S. Congress considers mandating smart cards for Medicare beneficiaries and providers
Kevin Fu
How least-cost routing slams rural telephone service, getting worse
Lauren Weinstein
"Skype vulnerability may have exposed your messages"
Woody Leonhard via Gene Wirchenko
SEC Employees Brought Sensitive Data to Black Hat...
PGN
NASA Suffers Large Data Breach Affecting Employees, Contractors, ...
Bob Charette via Ed Levinson
"Public clouds; risky business for MSPs"
Gene Wirchenko
Hotel room door locks vulnerable to hacking
Mark Thorson
RFID used to track school students
Nick Brown
More on suspended student refusing to wear tracking device
Tim Cushing via Monty Solomon
Barnes & Noble Ebooks expire with your credit card!
Tim Cushing via Monty Solomon
Syria blacks out the Internet
Paul Saffo
Excellent article on Chinese censorhip
Philipp Winter/Jedidiah Crandall via PGN
When It Comes to Security, We're Back to Feudalism
WiReD via Dave Farber
"Malware uses Google Docs as proxy to command and control server"
Lucian Constantin via Gene Wirchenko
Trojan sent blackmails from PCs. Japanese Police arrested PC owners
Chiaki Ishikawa
Cyber Security and Information Intelligence Research Workshop
Frederick T. Sheldon
Info on RISKS (comp.risks)

Commentary on L'Aquila earthquake verdict

Rob Seaman <seaman@noao.edu>
Fri, 23 Nov 2012 17:11:01 -0700
Between Superstorm Sandy and the U.S. election, it has been a busy month,
and the verdict of the l'Aquila Earthquake trial has yet to be discussed on
RISKS.  In engineering it is unsurprising that with expertise comes
responsibility, occasionally rising to criminal penalties when a bridge
falls down or a programming mistake causes a medical mishap or modern
infrastructure to fail.

Yet early opinions on the conviction of seven seismologists and other
experts resulting from public comments they made prior to the 2009
earthquake in l'Aquila, Italy suggested a great resistance in the scientific
community to similar penalties, here in "failing to predict an earthquake".
For example:

http://www.wired.com/wiredscience/2012/10/the-verdict-of-the-laquila-earthquake-trial-sends-the-wrong-message/

Contrasting opinions, well worth reading and mulling over, are beginning
to emerge from others in the scientific community:
  http://arxiv.org/abs/1211.3175
and:
  http://theconversation.edu.au/laquila-charges-leave-earthquake-scientists-on-shaky-ground-10301

Perhaps the definition of "pure science" is "science I can't be thrown in
jail over".

Rob Seaman, National Optical Astronomy Observatory


Drivers adapt to red-light cameras

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 27 Nov 2012 18:33:04 -0700
I think the title says it all.

"A pilot program for red-light cameras in New Jersey appears to be changing
drivers' behavior, state officials said, noting an overall decline in
traffic citations and right-angle crashes.  The Department of Transportation
also said, however, that rear-end crashes have risen by 20% and total
crashes are up by 0.9% at intersections where cameras have operated for at
least a year."

http://www.courierpostonline.com/article/20121127/NEWS01/311270020

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us

  [Fascinating!  Collateral damage becomes collinear damage.  In NYC, I long
  ago observed that you should never stop for a light changing to red,
  particularly on a staggered-timing north-south avenue.  If you do, you are
  likely to be rear-ended by a pile-up of perhaps three taxis.  PGN]


Close margin in Alaska senate race prompts recount

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 28 Nov 2012 3:30:20 PST
The *Anchorage Daily News* reports that Alaska will conduct a recount of
votes in one contest for the state senate.  The race was certified at 7593
to 7542 votes—a margin of 51.  The nominal loser has requested a recount,
which will be conducted in Anchorage according to the title of the article,
and in Juneau according to the last sentence of the article!

http://www.adn.com/2012/11/27/2705685/recount-will-be-conducted-in-anchorage.html


Skunk knocks Colorado TV station off air

Monty Solomon <monty@roscom.com>
Tue, 13 Nov 2012 21:09:01 -0500
http://www.upi.com/Odd_News/2012/11/13/Skunk-knocks-Colorado-TV-station-off-air/UPI-93471352854469/


Cambridge to Study Technology's Risk to Humans

ACM TechNews <technews@HQ.ACM.ORG>
Wed, 28 Nov 2012 11:19:25 -0500
Sylvia Hui, Associated Press item (25 Nov 2012)
via ACM TechNews, Wednesday, November 28, 2012

The potential risks that super-intelligent technologies pose to humans will
be the focus of the proposed Center for the Study of Existential Risk at
Cambridge University.  The center will bring together philosophers and
scientists to study the idea that in this or the next century machines with
artificial intelligence could pursue their own interests.  "It tends to be
regarded as a flaky concern, but given that we don't know how serious the
risks are, that we don't know the time scale, dismissing the concerns is
dangerous," says Cambridge philosophy professor Huw Price.  "What we're
trying to do is to push it forward in the respectable scientific community."
Price says the precise nature of the risks is hard to forecast, but advanced
technology could be a threat when computers start to channel resources
toward their own goals at the expense of human concerns such as
environmental sustainability.  Price is co-founding the project with Martin
Rees, a professor of cosmology and astrophysics, and Jann Tallinn, one of
the founders of the Internet phone service Skype.  Cambridge plans to launch
the center next year.
http://news.yahoo.com/cambridge-study-technologys-risk-humans-190948884--finance.html


U.S. Congress considers mandating smart cards for Medicare beneficiaries and providers

Kevin Fu <kevinfu@cs.umass.edu>
Wed, 28 Nov 2012 23:43:10 -0500
This morning, I testified in the U.S. House on the risks of technology to
combat waste, fraud and abuse in the Medicare program.  My testimony focuses
on the expectations of smart cards to reduce fraud.  My testimony also
highlights the types of fraud that remain in countries already using smart
cards for national health programs.  In short, there are several subtle
risks in the proposed pilot program---ranging from questionable
effectiveness and questionable evaluation methods to negative impact on
patient care.  I recommend ways to improve the utility of a pilot study.

http://www.govtrack.us/congress/bills/112/hr2925/text
http://energycommerce.house.gov/hearing/examining-options-combat-health-care-waste-fraud-and-abuse
http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/Hearings/Health/20121128/HHRG-112-IF14-WState-FuK-20121128.pdf
http://blog.secure-medicine.org/2012/11/dr-fu-goes-to-washington.html

Kevin Fu, Associate Professor, Computer Science & Engineering
University of Michigan, http://spqr.cs.umass.edu/ (lab moves to MI 1 Jan)


How least-cost routing slams rural telephone service, getting worse

Lauren Weinstein <lauren@vortex.com>
Wed, 28 Nov 2012 11:10:54 -0800
http://j.mp/StvI4l  (Addison Independent via NNSquad)

  "Farmhouses surrounded with many acres of fields, houses that may be miles
  apart. It's the geography and demographics of the area," Souza says. "It's
  the same reason that there's limited cell service in these areas. You
  might put up one cell tower, but the six it would take to provide complete
  coverage in the terrain are just not cost-justified."  A rural phone
  service provider like Shoreham Tel maintains a small network of its own
  copper wires, then connects with the rest of the world via "trunking" or
  switching centers connecting with a larger carrier. Shoreham Tel's lines
  have trunking with the network maintained by FairPoint.  "People in Sprint
  or Verizon don't have direct switching with us, but they do have direct
  with FairPoint's tandem switching. So FairPoint turns the call over to us
  and we terminate the call. The system has worked flawlessly for years,"
  Souza says.  "Then the least-cost routing issue emerged in the last three
  years. Entities started doing this, shaving every last penny out of
  it. Our customers aren't happy, and we understand that. But we can't
  control the other side of the system with calls coming at us."


"Skype vulnerability may have exposed your messages" (Woody Leonhard)

Gene Wirchenko <genew@ocis.net>
Wed, 14 Nov 2012 16:18:31 -0800
Woody Leonhard, *InfoWorld*, 14 Nov 2012
Microsoft sat by for months before plugging a security hole that
could have allowed others to see all your stored Skype data
  http://www.infoworld.com/t/cloud-security/skype-vulnerability-may-have-exposed-your-messages-207051


SEC Employees Brought Sensitive Data to Black Hat...

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 26 Nov 2012 10:30:17 PST
http://www.eweek.com/security/sec-employees-brought-sensitive-data-to-hacker-con-report/


NASA Suffers Large Data Breach Affecting Employees, Contractors, ...

<*Ed Levinson*>
Thursday, November 15, 2012
 From IEEE Spectrum blog by Robert N. Charette:

[On 14 Nov 2012,] NASA sent a message to all NASA employees informing them
of a data breach involving an agency stolen laptop.

According to the NASA message posted at SpaceRef.com on 31 Oct 2012, a NASA
laptop and official NASA documents issued to a Headquarters employee were
stolen from the employee's locked vehicle. The laptop contained records of
sensitive personally identifiable information (PII) for a large number of
NASA employees, contractors, and others.  Although the laptop was password
protected, it did not have whole disk encryption software, which means the
information on the laptop could be accessible to unauthorized individuals.
We are thoroughly assessing and investigating the incident, and taking every
possible action to mitigate the risk of harm or inconvenience to affected
employees.
  <http://www.spaceref.com/news/viewsr.html?pidB609>

More:
  http://spectrum.ieee.org/riskfactor/telecom/security/nasa-suffers-large-data-breach-affecting-employees-contractors-and-others/?utm_source=techalert&utm_medium=email&utm_campaign111Q2


"Public clouds; risky business for MSPs"

Gene Wirchenko <genew@ocis.net>
Tue, 20 Nov 2012 09:04:45 -0800
CDN CURATED: Toronto MSP posts a blog about the risks of public clouds,
19 Nov 2012
http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=69373

opening paragraph:

If there was ever an example of why Public Cloud storage can be hazardous,
it was Go Daddy's service outage earlier this week. Thousands (or millions
-- depending on whom you ask) of domains were taken off line. Businesses not
only lost their websites, a number of them lost access to their e-mail. This
lasted for 6 hours.


Hotel room door locks vulnerable to hacking

Mark Thorson <eee@sonic.net>
Thu, 29 Nov 2012 07:33:03 -0800
An exploit revealed at the Black Hat conference is now suspected to be the
method by which hotel rooms are being burglarized.  A simple tool can plug
into a port on the locks, reveal the secret key, and open them.  The
manufacturer is refusing to upgrade the locks for free, which places many
hotel customers at risk.

http://www.forbes.com/sites/andygreenberg/2012/11/26/security-flaw-in-common-keycard-locks-exploited-in-string-of-hotel-room-break-ins/

Now you've got something to take your mind off the bedbugs.


RFID used to track school students

"Nick Brown, Strasbourg, France" <nick.brown@free.fr>
Mon, 26 Nov 2012 11:32:30 +0100 (CET)
The BBC reports (http://www.bbc.co.uk/news/technology-20461752) that a
school in Texas is using RFID tags to track student movements around campus,
apparently to satisfy a reporting requirement (apparently there is a
monotonic relationship between the number of students attending on any given
day and state funding, which is a whole separate discussion).

What I found surprising in this case is that the only (reported) opposition
to this seems to have been on religious grounds; one student claims*
that "an individual's acceptance of a certain code, identified with his or
her person, as a pass conferring certain privileges from a secular ruling
authority, is a form of idolatry or submission to a false god".  I'm not in
a position to judge whether that is a sincerely-held point of view, or
whether protests based on more secular reasoning --- such as, for example,
"this is a really, really terrible idea" --- have been rejected out of hand.
(After all, what could possibly go wrong with a system that displays and
records the exact whereabouts of teenagers throughout the day?)

* https://www.rutherford.org/files_images/general/11-21-2012_TRO-Petition_Hernandez.pdf


More on suspended student refusing to wear tracking device (Tim Cushing)

Monty Solomon <monty@roscom.com>
Tue, 27 Nov 2012 23:45:19 -0500
Tim Cushing, Court Temporarily Blocks School District From Suspending
Student For Refusing To Wear Student ID/Tracking Device, Techdirt, 27 Nov
2012

http://www.techdirt.com/articles/20121125/15041521137/court-temporarily-blocks-school-district-suspending-student-refusing-to-wear-student-idtracking-device.shtml


Barnes & Noble Ebooks expire with your credit card! (Tim Cushing)

Monty Solomon <monty@roscom.com>
Tue, 27 Nov 2012 23:45:19 -0500
Tim Cushing, Barnes & Noble Decides That Purchased Ebooks Are Only Yours
Until Your Credit Card Expires, Techdirt, 27 Nov 2012

http://www.techdirt.com/articles/20121126/18084721154/barnes-noble-decides-that-purchased-ebooks-are-only-yours-until-your-credit-card-expires.shtml


Fwd: Syria blacks out the Internet

Paul Saffo <paul@saffo.com>
Thu, 29 Nov 2012 10:50:56 -0800
This is a first—a countrywide Internet blackout. It is going to have all
sorts of unexpected consequences, but frankly I am surprised it took them so
long to do it (they probably didn't know how)...

An Akamai chart shows the shutdown pretty dramatically.  Here is the
original report of the blackout with continuing coverage—note the charts:
  http://www.renesys.com/blog/2012/11/syria-off-the-air.shtml

  [See also techcrunch.  PGN]
http://techcrunch.com/2012/11/29/syria-shuts-down-internet-mobile-services-and-land-lines-partially-down-in-midst-of-uprising/


Excellent article on Chinese censorhip

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 27 Nov 2012 13:56:49 PST
Philipp Winter and Jedidiah R. Crandall,
The Great Firewall of China:
  How it blocks Tor and why it is hard to pinpoint
usenix;login: December 2012 vol 37 no 6


When It Comes to Security, We're Back to Feudalism (WiReD)

Dave Farber <dave@farber.net>
Tue, 27 Nov 2012 10:17:59 -0500
Some of us have pledged our allegiance to Google: We have Gmail accounts, we
use Google Calendar and Google Docs, and we have Android phones. Others have
pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads;
and we let iCloud automatically synchronize and back up everything.  Still
others of us let Microsoft do it all. Or we buy our music and e-books from
Amazon, which keeps records of what we own and allows downloading to a
Kindle, computer, or phone. Some of us have pretty much abandoned e-mail
altogether—for Facebook.
  http://www.wired.com/opinion/2012/11/feudal-security/


"Malware uses Google Docs as proxy to command and control server"

Gene Wirchenko <genew@ocis.net>
Tue, 20 Nov 2012 12:45:22 -0800
Lucian Constantin, IDG News Service, *InfoWorld*, 19 Nov 2012
Backdoor.Makadocs variant uses Google Drive Viewer feature to receive
instructions from its real command and control server
http://www.infoworld.com/d/security/malware-uses-google-docs-proxy-command-and-control-server-207428


Trojan sent blackmails from PCs. Japanese Police arrested PC owners

"ISHIKAWA,chiaki" <ishikawa@yk.rim.or.jp>
Fri, 23 Nov 2012 04:15:05 +0900
In a few very public cases, backdoor trojan (Japanese press calls it virus)
sent threatening blackmails from unsuspecting people's PCs.

It is believed that the trojan probably was inside a free software like
photo-touching utility, etc. that the unsuspecting people downloaded from
bulletin board, etc. But the transfer vector is still sketchy.

These incidents happened this summer (2012).

These threatening messages caused complaints from the receivers and the
police moved.  However, the Japanese police branches were misled to believe
that the owners of the PCs sent these threatening messages.

The PCs were identified by the IP address used for sending the e-mail, or
posted a message to web interface of the recipients.

Since IP-address is a unique identifier, the PC can be uniquely
identified. And naturally, the owners of the PCs are suspect, correct?

One man in Osaka, from whose PC a threatening message (close to 250 bytes or
so) was uploaded within one second of the initial access to the city's web
page on July 29th was approached by the police and interrogated.

He told the police investigator he had no knowledge of it, and suggested
maybe someone could have hijacked the Wi-Fi he was using and other
possibilities. He denied sending the message vehemently to the repeated
investigations.

Bu no avail. He was detained on 26 Aug 2012, and charged with a crime on 14
Sep. Access log record of the time period of the blackmailing on his PC's
seemed to have been erased by the trojan. This missing record of the crucial
date made the police more suspicious of the man and they thought that he
tried to hide his act.

So he was awaiting a trial.

However, a police in Mie prefecture who had charged another man in a similar
blackmail message case in early September, noticed a trace of strange file
in the man's PC. The COTS (commercial off-the-shelf) virus checker,
etc. could not identify it.  With the help from certain unnamed security
firms, Mie police concluded that there was a trojan on the man's computer
and the possibility of the trojan sending out or posting threatening
messages could not be ruled out.  So the man was freed one week after the
arrest.

The Mie police further told the police in Osaka of their finding and the
suspicious file name (iesys.exe).

Osaka police based on this new information studied the first man's PC more
carefully (I suppose. It did check the first man's PC with COTS virus
scanner and such but found nothing before the original arrest.)  Osaka
police now figured that the same or similar trojan had been on the
computer. Trojan seems to have erased itself after the crime and that is why
it was not spotted earlier (but it seems the files could be recovered by the
police's tools now with the new knowledge.).

After considering this infection and that uploading 250+ bytes message in
one second is not humanly possible with simple typing, and choosing buttons
using mouses to navigate the web manually, etc., the man facing trial was
freed on 21 Sep.

After these two publicised cases were reported on TV news and the danger of
these trojans and the ordeal of the two men were covered for about a week,
the media uncovered another case of a man in Tokyo, and he "admitted" that
he sent a threatening e-mail from a PC in the house. (He thought he was
trying to protect another family member who he thought had sent out the
threatening e-mail. We learned later that a trojan sent the threatening
e-mail.)

We still learned of another case: a youth in his teens also admitted sending
a threatening blackmail from his PC in a similar case, and his case was
closed quickly as no contest since the youth also "admitted" that he sent
the blackmail.  (In this case, it seems that the youth figured he would not
be charged a harsh penalty and could come of the case quickly by "admitting"
the charge falsely.)

Now, whoever masterminded the operation of these trojans, came out from the
dark and sent the details of his/her operation to a lawyer who appeared in a
TV news segment covering these cases.

The e-mail sent from a server in a foreign country contained the detail of
the blackmail messages which only the recipient and the police knew. So now
police believes these messages from the purported mastermind are genuine.
This mastermind told the lawyer that the teenager is innocent, and his/her
act was meant to make fun of the police and prosecutor's offices whose IT
skills are laughing stock of the town in his/her opinion. He/she was sorry
to cause griefs to the owners of the computers and thus came out from the
dark.

After the general outline of e-mails from the mastermind became public,
police and prosecutor's offices formerly apologized the suspected / arrested
/ charged people and the national police agency sent a notice about not
trusting IP address alone as a key evidence in a similar case.

To people in IT industry and readers of Risks, this is no brainer, but
before Japanese police and prosecutor's offices are made keenly aware of it,
some people suffered a very frustrating summer months.

Also, there has been heavy criticism of high-handed police investigation
that forced a few people to "admit" the crime which they did not commit
after all. There have been cases of police and prosecutor mistakes that
caused innocent people to be in jail for many years, and so Japanese public
is very critical of these issues today.  Even the court, which has been very
prosecutor-friendly, seems to think more carefully about police evidence in
some publicised cases.

Now, the Japanese police is asking for cooperation from overseas police
organizations and ISPs to trace the e-mails sent to the lawyers in the slim
hope that it may lead to the origin.

These all happened just because of recorded IP addresses.

I am reporting this now since English coverage of these incidents seem to be
rare (or is swamped with the flood of voting related issues this Fall).


Cyber Security and Information Intelligence Research Workshop

"Sheldon, Frederick T." <sheldonft@ornl.gov>
Tue, 27 Nov 2012 12:25:17 -0500
Cyber Security and Information Intelligence Research Workshop (CSIIRW)
RESCHEDULED.  See
  www.csiir.ornl.gov/csiirw

The workshop will be help at Oak Ridge National Laboratory.  In the
aftermath of Hurricane Sandy, it seems fortuitous that we delayed the
workshop to 8-10 Jan 2013. I'm certain that many people would not have been
able to attend.

To register for the event, you can simply go to:
  www.csiir.ornl.gov/csiirw and  click on registration.

There are some points-of-interest starting with the advance program:
  http://csiir.ornl.gov/csiirw/12/files/csiirw8-schedule.pdf

and invited speakers:
  http://csiir.ornl.gov/csiirw/12/keynotes.html

This year's theme is Federal Cyber Security R&D Program Thrusts, which is
based on the Federal Cybersecurity R&D Strategic Plan:
  http://www.whitehouse.gov/blog/2011/12/06/federal-cybersecurity-rd-strategic-plan-released

Frederick T. Sheldon, Ph.D., CSIIRW General Co-chiar
Oak Ridge National Laboratory, 576-1339 Office 576-5943 Fax

Please report problems with the web pages to the maintainer

Top