The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 15

Tuesday 29 January 2013

Contents

Digital Map Error May Have Led To Minesweeper Grounding
Paul Saffo
U-verse back up after outage hit thousands
Lauren Weinstein
$180M case management system for social workers may have to be abandoned
Jonathan Thornburg
How AT&T used to put service during emergencies at top priorities
Lauren Weinstein
"Skin cancer apps 'dangerous'"
Robyn Preston via Gene Wirchenko
Grammar badness makes cracking harder the long password
Dan Goodin via Monty Solomon
Student's Expulsion Exposes Computer Science Culture Gap
Robert Schaefer
School that expelled student hacker may have ignored old flaw
Ted Samson via Gene Wirchenko
Man outsources his own job to China
Robert Schaefer
MIT hacked again, URLs redirected
Joanna Kao via Monty Solomon
Mathematicians aim to take publishers out of publishing
Richard van Noorden via Dewayne Hendricks via Dave Farber
Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now?
ACM TechNews
Red October
Peter G. Neumann
Major vulnerabilities in Cisco VoIP phones
Lauren Weinstein
"Twitter flaw gave third-party apps unauthorized access to private messages, researcher says"
Lucian Contstantin via Gene Wirchenko
"Tweeted photos not free to publish, judge rules"
Goyal/MacKenzie via Gene Wirchenko
"World's first 'tax' on Microsoft's Internet Explorer 7"
Gene Wirchenko
12 Common Election Security Myths
R.G. Johnston via PGN
12 survival tips from the spouse of a serial startup executive
Jeff Jedras via Gene Wirchenko
Exposure of files on unsecured wireless no excuse to search ...
Jaikumar Vijayan via Monty Solomon
Great blog posting in Scientific American re Comment Moderation
Lauren Weinstein
Info on RISKS (comp.risks)

Digital Map Error May Have Led To Minesweeper Grounding

Paul Saffo <paul@saffo.com>
Tue, 22 Jan 2013 21:21:44 -0800
This is a good one given the fact that the skipper of the minesweeper was
warned over the radio by the park rangers that they were on a collision
course and the skipper told them to "contact the US embassy.  Rather like
the old story of the battleship skipper ordering the lighthouse to move!  -p

Christopher P. Cavas, Digital Map Error May Have Led To Minesweeper Grounding
blogs.defensenews.com/intercepts/2013/01/digital-map-error-may-have-led-to-mineweeper-grounding/

A digital chart used by the minesweeper USS Guardian to navigate Philippine
waters misplaced the location of a reef by about eight nautical miles, and
may have been a significant factor when the ship drove hard aground on the
reef on 17 Jan 2013.

As of 18 Jan, U.S. Navy ships have been directed to “operate with caution''
when using similar electronic charts and compare the map data with paper
charts, which are considered accurate.

The Guardian drove onto Tubbataha Reef in the Sulu Sea around 2:25 a.m. on
17 Jan (some sources cite a date of 16 Jan, since that was the date in
Washington, D.C. when the incident occurred). The reef is about 80 miles
east-southeast of Palawan Island.

  [Long item truncated for RISKS.  Worth reading.  PGN]

  [The original Navy item noted by Bob Gezelter:
    http://www.navy.mil/submit/display.asp?story_idq553
  PGN]

    Even worse than when LA-class nuclear sub San Francisco hit an uncharted
    seamount se of Guam in 2005. They were below 500 ft and running at flank
    speed and nearly lost the vessel. Though the seamount wasn't on charts,
    there was secondary info that there might be a seamount in the area, and
    in any case the chart noted that the region has largely uncharted. [...]
    [Added note from Paul Saffo.  PGN]


U-verse back up after outage hit thousands

Lauren Weinstein <lauren@vortex.com>
Thu, 24 Jan 2013 19:23:39 -0800
http://j.mp/14bnNPH  (CNN via NNSquad)

  "Service had been restored by midday Thursday for tens of thousands of
  AT&T's U-verse TV, Internet and phone customers after an outage that
  lasted several days."  [It started on Monday. PGN]

This is the same AT&T begging the FCC to allow it to abandon traditional
POTS phone service and provide *all* phone service via U-verse, et al.  This
was just a software upgrade problem.  Imagine what could happen during a
true emergency!


$180M case management system for social workers may have to be abandoned

Jonathan Thornburg <jthorn@astro.indiana.edu>
Tue, 29 Jan 2013 12:38:52 -0800 (PST)
http://www.cbc.ca/news/canada/british-columbia/story/2013/01/29/bc-government-computer-report.html

*Report finds flaws in new B.C. government computer system*
CBC News
Posted: Jan 29, 2013 6:48 AM PT
Last Updated: Jan 29, 2013 8:43 AM PT

The Ministry of Children and Family Development may have to abandon
its use of a $180-million information sharing system that was
supposed to help prevent vulnerable children from slipping through
the cracks.

The Integrated Case Management System is supposed to replace 64
different databases, linking information between social workers,
police, service providers and other ministries.

But an independent consultant's report has found major flaws,
including a lack of knowledge about the system's goals and insufficient
resources for training.

Minister Stephanie Cadieux admits child protection workers are using
the old system while a solution is sought.

[[...]]

An earlier report on problems with the Integrated Case Management System
is at
http://www.cbc.ca/news/canada/british-columbia/story/2012/06/06/bc-government-computer-glitches.html


How AT&T used to put service during emergencies at top priorities

Lauren Weinstein <lauren@vortex.com>
Sat, 26 Jan 2013 13:00:54 -0800
[Video] 1979: "Any day without warning" - How AT&T used to put service
during emergencies at the top of their priorities
http://j.mp/14hSP8k  (AT&T via NNSquad)

Today, AT&T is asking the FCC for the right to abandon traditional
central-office phone service—and virtually all government regulations --
causing great concerns about how phone services will function in
emergencies.  Recent history is very disturbing in these regards.  Yet, over
on the wonderful "AT&T Tech Channel," we can see how AT&T used to put
service reliability during emergencies at the top of their priorities, as
shown in this video from 1979.


"Skin cancer apps 'dangerous'"

Gene Wirchenko <genew@telus.net>
Mon, 28 Jan 2013 09:52:39 -0800
Robyn Preston, *The Sydney Morning Herald*, 18 Jan 2013

Experts are warning people not to replace visits to the doctor with
smartphone apps that claim to detect skin cancer after a study found the
technology gets it wrong almost a third of the time.
http://www.smh.com.au/digital-life/smartphone-apps/skin-cancer-apps-dangerous-20130117-2cva6.html


Grammar badness makes cracking harder the long password (Dan Goodin)

<*Monty Solomon*>
Saturday, January 26, 2013
Dan Goodin, Ars Technica, 24 Jan 2013
Password crackers get an English lesson.

When it comes to long phrases used to defeat recent advances in password
cracking, bigger isn't necessarily better, particularly when the phrases
adhere to grammatical rules.

A team of Ph.D. and grad students at Carnegie Mellon University and the
Massachusetts Institute of Technology have developed an algorithm that
targets passcodes with a minimum number of 16 characters and built it into
the freely available John the Ripper cracking program.  The result: it was
much more efficient at cracking passphrases such as "abiggerbetter password"
or "thecommunistfairy" because they followed commonly used grammatical
rules-in this case, ordering parts of speech in the sequence "determiner,
adjective, noun." When tested against 1,434 passwords containing 16 or more
characters, the grammar-aware cracker surpassed other state-of-the-art
password crackers when the passcodes had grammatical structures, with 10
percent of the dataset cracked exclusively by the team's algorithm.

The approach is significant because it comes as security experts are
revising password policies to combat the growing sophistication of modern
cracking techniques which make the average password weaker than ever
before. A key strategy in making passwords more resilient is to use phrases
that result in longer passcodes. Still, passphrases must remain memorable to
the end user, so people often pick phrases or sentences. It turns out that
grammatical structures dramatically narrow the possible combinations and
sequences of words crackers must guess. One surprising outcome of the
research is that the passphrase "Th3r3 can only b3 #1!" (with spaces
removed) is one order of magnitude weaker than "Hammered asinine
requirements" even though it contains more words. Better still is "My
passw0rd is $uper str0ng!"  because it requires significantly more tries to
correctly guess. ...

http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/


Student's Expulsion Exposes Computer Science Culture Gap

Robert Schaefer <rps@haystack.mit.edu>
Thu, 24 Jan 2013 07:52:42 -0500
Wysopal: “Most Computer Science departments are still living in the
pre-Internet era when it comes to computer security.  Computer Science is
taught in this idealized world separate from reality. They're not dealing
with the reality that software has to run in a hostile environment.''

http://securityledger.com/students-expulsion-exposes-computer-science-culture-gap/

Robert Schaefer, Atmospheric Sciences, MIT Haystack Observatory, Westford
MA 01886 rps@haystack.mit.edu, 781-981-5767, http://www.haystack.mit.edu


School that expelled student hacker may have ignored old flaw

Gene Wirchenko <genew@telus.net>
Fri, 25 Jan 2013 08:14:17 -0800
Ted Samson, *InfoWorld*, 22 Jan 2013
http://www.infoworld.com/t/security/school-expelled-student-hacker-may-have-ignored-16-month-old-security-flaw-211314

School that expelled student hacker may have ignored 16-month-old security
flaw Dawson College stuck to its policies in expelling Hamed Al-Khabaz, but
now the school must answer for its security failings


Man outsources his own job to China

robert schaefer <rps@haystack.mit.edu>
Wed, 16 Jan 2013 08:33:52 -0500
https://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/

"The scenario was as follows. We received a request from a US-based company
asking for our help in understanding some anomalous activity that they were
witnessing in their VPN logs. This organization had been slowly moving
toward a more telecommuting oriented workforce, and they had therefore
started to allow their developers to work from home on certain days...As it
turns out, Bob had simply outsourced his own job to a Chinese consulting
firm. Bob spent less that one fifth of his six-figure salary for a Chinese
firm to do his job for him.  Authentication was no problem, he physically
FedExed his RSA token to China so that the third-party contractor could
log-in under his credentials during the workday."


MIT hacked again, URLs redirected (Joanna Kao)

Monty Solomon <monty@roscom.com>
Wed, 23 Jan 2013 01:14:11 -0500
Joanna Kao, *The Tech*, 22 Jan 2013

MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a
webpage claiming credit for the attack in remembrance of Aaron Swartz.

As a result of the hack, people who visited tried to reach MIT over the
Internet were redirected to the hacked Web page pictured here:
http://goo.gl/kxdm1. The hack affected all names under mit.edu, including
web.mit.edu, tech.mit.edu, etc.

The hack and subsequent outages were due to a compromise at EDUCAUSE, the
registrar that provides information on all .EDU names. A registrar, which
allows users to purchase domain names, also specifies the domain name system
(DNS) servers for a domain, which convert domain names to IP addresses -
needed to actually load the page. ...

http://tech.mit.edu/V132/N62/hack.html


Mathematicians aim to take publishers out of publishing

<*Dewayne Hendricks*>
Friday, January 18, 2013
Episciences Project to launch series of community-run, open-access journals.
Richard Van Noorden, *Nature*, 17 Jan 2013 [via Dave Farber's IP]

http://www.nature.com/news/mathematicians-aim-to-take-publishers-out-of-publishing-1.12243

Mathematicians plan to launch a series of free open-access journals that
will host their peer-reviewed articles on the preprint server arXiv. The
project was publicly revealed yesterday in a blog post by Tim Gowers, a
Fields Medal winner and mathematician at the University of Cambridge, UK.

The initiative, called the Episciences Project, hopes to show that
researchers can organize the peer review and publication of their work at
minimal cost, without involving commercial publishers.

“It's a global vision of how the research community should work: we want to
offer an alternative to traditional mathematics journals,'' says Jean-Pierre
Demailly, a mathematician at the University of Grenoble, France, who is a
leader in the effort. Backed by funding from the French government, the
initiative may launch as early as April, he says.

Many mathematicians—and researchers in other fields—claim that they
already do most of the work involved in publishing their research. At no
cost, they type up and format their own papers, post them to online servers,
join journal editorial boards and review the work of their peers.  By
creating journals that publish links to peer-reviewed work on servers such
as arXiv, Demailly says, the community could run its own publishing
system. The extra expense involved would be the cost of maintaining websites
and computer equipment, he says.

That cost is not small, but it could eventually be provided in part by the
journals' users. The arXiv server, for example, costs about US $826,000 a
year to run, and is funded by the Cornell University Library in Ithaca, New
York; the Simons Foundation in New York and institutional members.

Demailly says that he first thought of open-access electronic journals that
overlay arXiv eight years ago, but the concept became a reality only last
June, when he was contacted by the Centre for Direct Scientific
Communication (CCSD), based in Villeurbanne, France. The CCSD, a unit of
the French National Centre for Scientific Research, develops open-access
repositories such as the multidisciplinary archive HAL, which mirrors the
arXiv site.

[snip]

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now?

ACM TechNews <technews@HQ.ACM.ORG>
Mon, 14 Jan 2013 11:44:46 -0500
ACM TechNews, Monday, January 14, 2013

Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now?
Christian Science Monitor (01/09/13) Mark Clayton

Last year offered many unsettling revelations for businesses, individuals,
and U.S. government officials concerned about their vulnerability to
cyberattack.  Hackers launched offensives that took aim at a wide range of
targets, including ordinary citizens' financial information, bank Web sites,
critical infrastructure, and important federal agencies.  "The cyberthreat
facing the nation has finally been brought to public attention," says the
Center for Strategic and International Studies' James Lewis.  However, he
noted there is more befuddlement than clarity on the subject of
cybersecurity, and cultivation of the skills to discuss cybersecurity is
progressing at a slower pace than hoped.  Although there are many
cyberthreat sources, the U.S. Pentagon is chiefly concentrating on the
growing cyberwarfare capabilities of China, Russia, and Iran.  Adding to the
challenge of shoring up defenses is the multitude of cyberattackers with
diverse motivations and targets.  Meanwhile, the U.S. Cyber Consequences
Unit reports that at a corporate level, cyberattacks could potentially
generate liabilities and losses of sufficient size to bankrupt most
companies.  Meanwhile, awareness of cyberthreats is on the rise, with a
Central Intelligence Agency cybersecurity index estimating that corporate
chief information security officers reported a 50 percent increase in the
"measure of perceived risk" since March 2011.
http://www.csmonitor.com/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video


Red October

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 14 Jan 2013 11:21:24 PST
Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage
network" - dubbed Red October - that has been active for at least five years
and is targeting diplomatic and government agencies.

Red October:   http://www.pcmag.com/article2/0,2817,2414260,00.asp


Major vulnerabilities in Cisco VoIP phones

Lauren Weinstein <lauren@vortex.com>
Fri, 4 Jan 2013 13:37:17 -0800
Major vulnerabilities in Cisco VoIP phones

http://t.co/ntF86rH2  (*Science Daily* via NNSquad)

  "Cisco has since released a patch to repair these vulnerabilities but it
  is ineffective. "It doesn't solve the fundamental problems we've pointed
  out to Cisco," Cui observes. "We don't know of any solution to solve the
  systemic problem with Cisco's IP Phone firmware except for the Symbiote
  technology or rewriting the firmware. We plan to demonstrate a
  Symbiote-protected Cisco IP Phone at an upcoming conference."  The
  research conducted by Stolfo and Cui was funded by DARPA (Defense Advanced
  Research Projects Agency), IARPA (Intelligence Advanced Research Projects
  Activity), and DHS (Department of Homeland Security)."


Twitter flaw gave third-party apps unauthorized access to private messages, researcher says" (Lucian Contstantin)

Gene Wirchenko <genew@telus.net>
Fri, 25 Jan 2013 08:18:05 -0800
Lucian Constantin, InfoWorld, 22 Jan 2013

Twitter flaw gave third-party apps unauthorized access to private messages,
researcher says.  The issue was fixed, but apps that gained this permission
without proper authorization still have it.
http://www.infoworld.com/d/security/twitter-flaw-gave-third-party-apps-unauthorized-access-private-messages-researcher-says-211304


"Tweeted photos not free to publish, judge rules" (Goyal/MacKenzie)

Gene Wirchenko <genew@telus.net>
Fri, 25 Jan 2013 08:09:19 -0800
Monica Goyal and Jon Mackenzie
http://blogs.itbusiness.ca/2013/01/tweeted-photos-not-free-to-publish-judge-rules/

opening paragraph:

The debate around ownership of content posted by users of online social
media services continues.  In the wake of the recent uproar surrounding
Instagram's proposed Terms of Service changes designed to allow them to
claim ownership over their users' posted photographs, the New York
District Court has clarified the issues surrounding ownership of photos
posted on Twitter in a recent decision – AFP v Morel. While the ownership
and usage rights of content posted by users on their social media accounts
will no doubt continue to be debated by social media companies, users, and
the courts, this case does clarify some important= points.


"World's first 'tax' on Microsoft's Internet Explorer 7"

Gene Wirchenko <genew@telus.net>
Wed, 23 Jan 2013 10:28:53 -0800
http://www.bbc.co.uk/news/technology-18440979
World's first 'tax' on Microsoft's Internet Explorer 7

selected text:

"I was constantly on the line to my web team. The amount of work and effort
involved in making our website look normal on IE7 equaled the combined time
of designing for Chrome, Safari and Firefox."


12 Common Election Security Myths (R.G. Johnston)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 29 Jan 2013 11:50:56 PST
An item by Roger G. Jonston of the Vulenrability Assessment Team at the
Argonne National Laboratory lists 12 myths, and counters each of them with a
pithy counter-argument.  For any remaining RISKS readers who still believe
that election systems are adequately secure, this is crucial reading.

  http://jps.anl.gov/Volume6_iss1/JohnstonVP.pdf

Thanks to Andrew Appel for spotting this one... PGN


"12 survival tips from the spouse of a serial startup executive" (Jeff Jedras)

Gene Wirchenko <genew@telus.net>
Fri, 25 Jan 2013 08:10:56 -0800
Jeff Jedras, Mitigating a different kind of computer-related risk
*IT Business*, 23 Jan 2013

The wife of a startup entrepreneur turned venture capitalist shares tips for
other startup spouses on making the relationship work.
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=69767


Exposure of files on unsecured wireless no excuse to search ... (Jaikumar Vijayan)

Monty Solomon <monty@roscom.com>
Thu, 24 Jan 2013 10:42:07 -0500
Exposure of files on unsecured wireless no excuse to search, judge rules
Warrantless search of file violated defendant's Fourth Amendment right,
federal judge says in child porn case

Jaikumar Vijayan, ComputerWorld , 23 Jan 2013

ComputerWorld - An individual who inadvertently exposes the contents of his
computer over an unsecured wireless network still has a reasonable
expectation of privacy against a search of those contents by the police, a
federal judge in Oregon ruled last week.

The ruling involves John Henry Ahrndt, a previously convicted sex offender
who was sentenced to 120 months in prison for possession of child
pornography on his computer.

Ahrndt had argued that some of the evidence that was used against him in
court had been gathered illegally. He had filed an appeal asking the
U.S. District Court for the District of Oregon in Portland to suppress the
evidence on the grounds that his Fourth Amendment rights against
unreasonable search had been violated.

Oregon District Court Judge Garr King initially denied Ahrndt's motion to
suppress but picked up the case again last year after the U.S. Court of
Appeals for the Ninth Circuit reversed King's first ruling.

In a 34-page ruling last week, King granted Ahrndt's renewed motion to
suppress the evidence gathered by police from his hard drive and also
ordered his subsequent testimony to them to be suppressed as well.

Ahrndt's case goes back to 2007 when one of his neighbors, a woman referred
to only as "JH" in court documents, connected to the Internet using her own
wireless network. When JH's network temporarily malfunctioned, her computer
automatically connected to Ahrndt's unsecured wireless network.

When JH subsequently opened her iTunes software to listen to music, she
noticed that another user library called "Dads LimeWire Tunes" from Ahrndt's
computer, was also available for sharing, court documents said.

When JH clicked on the folder, she immediately noticed that it contained a
lot of files with names suggesting explicit child pornography. She informed
the county sheriff's department, which sent a deputy to take a look at her
discovery. ...

http://www.computerworld.com/s/article/9236036/Exposure_of_files_on_unsecured_wireless_no_excuse_to_search_judge_rules


Great blog posting in Scientific American re Comment Moderation

Lauren Weinstein <lauren@vortex.com>
Tue, 29 Jan 2013 11:37:40 -0800
http://j.mp/XPYnRl  (Scientific American via NNSquad)

  "If you don't delete or disemvowel inappropriate comments, people will
  think you are not even reading the comment threads. If you don't show up
  in person, nobody will know you are even interested in their thoughts. If
  you don't delete the trolls, the trolls will take over and the nice people
  will go somewhere else."

Yes, yes, and yes!

Please report problems with the web pages to the maintainer

Top