The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 16

Thursday 14 February 2013


Super Bowl blackout was caused by electrical relay
Kevin McGill via Henry Baker
Safety investigators identify origin of Boeing 787 battery fire
Jim Reisert
Jared Diamond on risk assessment
Paul Edwards
Man allegedly follows GPS directions to wrong house; shot dead
Chris Matyszczyk via Monty Solomon
Hackers in China Attacked The New York Times for Last 4 Months
Nicole Perlroth
Infiltrate anybody, one-click easy
Steve Summit
"U.S. Said to Be Target of Massive Cyber-Espionage Campaign"
Ellen Nakashima via ACM TechNews
Visa suspicious activity
Leslie Maltz
Password Cracking AES-256 DMGs and Epic Self-Pwnage
Jeremiah Grossman via Monty Solomon
Subject: Security Firm Bit9 Hacked, Used to Spread Malware Security Firm Bit9 Hacked, Used to Spread Malware
Lauren Weinstein
"Researchers devise new attack techniques against SSL"
Lucian Constantin via Gene Wirchenko
Deloitte predicts that in 2013 more than 90 percent of user-generated passwords will be vulnerable to hacking
Jim Reisert
"Canadian business and technology associations oppose anti-spam regulations"
Gene Wirchenko
"Data breach exposes Energy Department's 'continuing story of negligence'"
Gene Wirchenko
"9 iPhone and iPad apps that invade your privacy, and 1 that doesn't"
Tom Kaneshige via Gene Wirchenko
Mandatory Black Boxes in Cars
Nate Cardozo EFF Press
Apparent issue with Facebook Connect is dragging people from around the Web to a moot error page
The Next Web via NNSquad
Did Facebook Just Break Half the Internet?
Gawker via NNSquad
"How Facebook Connect took down the Web"
Peter Wayner via Gene Wirchenko
Read this book by Ross Anderson. It's free.
Rob Slade
FOSE 2013
Sarah Kneip
Info on RISKS (comp.risks)

Super Bowl blackout was caused by electrical relay (Kevin McGill)

Henry Baker <>
Fri, 08 Feb 2013 17:36:06 -0800
  [FYI—When IBM service engineers did this sort of thing, we called it
  "causative maintenance"...]

Kevin McGill, Super Bowl blackout was caused by [faulty] electrical relay,
Associated Press, 8 Feb 2013

NEW ORLEANS—The company that supplied electricity to the Super Bowl says
the blackout that halted the big game was caused by a device it installed
specially to prevent a power failure.  But the utility stopped short of
taking all the blame and said Friday that it was looking into whether the
electrical relay at fault had a design flaw or a manufacturing defect.

The relay had been installed as part of a project begun in 2011 to upgrade
the electrical system serving the Superdome in anticipation of the
championship game. The equipment was supposed to guard against problems in
the cable that links the power grid with lines that go into the stadium.

"The purpose of it was to provide a newer, more advanced type of protection
for the Superdome," Dennis Dawsey, an executive with Entergy Corp., told
members of the City Council. Entergy is the parent company of Entergy New
Orleans, the city's main electric utility.

Entergy officials said the relay functioned with no problems during
January's Sugar Bowl and other earlier events. It has been removed and will
be replaced.  ...  The relay was installed in a building near the stadium
known as "the vault," which receives a line directly from a nearby Entergy
substation. Once the line reaches the vault, it splits into two cables that
go into the Superdome.

Sunday's power failure cut lights to about half of the stadium, halting play
between the Baltimore Ravens and San Francisco 49ers and interrupting the
nation's most-watched sporting event for 34 minutes.

Not long after the announcement, the manufacturer of the relay,
Chicago-based S&C Electric Co., released a statement saying that the
blackout occurred because system operators had put the relay's so-called
trip setting too low to allow the device to handle the incoming electric
load.  "If higher settings had been applied, the equipment would not have
disconnected the power," said Michael J.S. Edmonds, vice president of
strategic solutions for S&C.  In a follow-up statement, Entergy said that
tests conducted by S&C and Entergy on the two relays at the Superdome showed
that one worked as expected, the other did not.  Entergy spokesman Mike
Burns said both relays had the same trip setting.  Entergy's announcement
came shortly before company officials went before a committee of the City
Council, which is the regulatory body for the company.

   [Truncated for RISKS.  The article continues with somewhat less
   expressed certainty as to the cause(s).  PGN]

Safety investigators identify origin of Boeing 787 battery fire

Jim Reisert AD1C <>
Thu, 7 Feb 2013 16:42:17 -0700
Washington (CNN)—Federal safety officials said Thursday they have
identified the origin of the battery fire on a Boeing 787 Dreamliner last
month, and are turning their microscopes on an aircraft approval process in
which the airplane builder evidently greatly underestimated the chances of
battery failure.

Boeing had estimated a "smoke" event would occur "less than once in 10
million flight hours" with the Dreamliner's novel lithium-ion batteries,
National Transportation Safety Board chairwoman Deborah Hersman said. But
after fewer than 100,000 hours of actual flight, two batteries failed, one
culminating in a fire.

Further, Boeing's indications that heat damage in one battery cell would not
harm adjacent cells proved false, Hersman said.

"The assumptions used to certify the battery must be reconsidered," Hersman

Jim Reisert AD1C, <>,

  [Get it from the horse's mouth: The National Transportation Safety Board:

Jared Diamond on risk assessment

Paul Edwards <>
Wed, 30 Jan 2013 21:39:55 +1100

  "If I'm to achieve my statistical quota of 15 more years of life, that
  means about 15 times 365, or 5,475, more showers. But if I were so
  careless that my risk of slipping in the shower each time were as high as
  1 in 1,000, I'd die or become crippled about five times before reaching my
  life expectancy. I have to reduce my risk of shower accidents to much,
  much less than 1 in 5,475."

This article provides a useful and clear overview of risk assessment (of the
non-IT kind). It may be of use to folks who need to educate their users...

Man allegedly follows GPS directions to wrong house; shot dead (Chris Matyszczyk)

Monty Solomon <>
Fri, 1 Feb 2013 08:57:50 -0500
Chris Matyszczyk, CNET, 29 Jan 2013
Friends say a man in his early 20s was picking up one more of their group to
go skating, when his GPS took him to the wrong house and the home-owner
allegedly shot him dead, later saying he feared a home invasion.

Two portraits emerge of Lilburn shooter

Hackers in China Attacked The New York Times for Last 4 Months (Nicole Perlroth)

"Peter G. Neumann" <>
Thu, 31 Jan 2013 11:50:12 PST
Nicole Perlroth, *The New York Times*, 30 Jan 2103

For the last four months, Chinese hackers have persistently attacked *The
New York Times*, infiltrating its computer systems and getting passwords for
its reporters and other employees.  After surreptitiously tracking the
intruders to study their movements and help erect better defenses to block
them, *The Times* and computer security experts have expelled the attackers
and kept them from breaking back in.  The timing of the attacks coincided
with the reporting for a *Times* investigation, published online on 25 Oct,
that found that the relatives of Wen Jiabao, China's prime minister, had
accumulated a fortune worth several billion dollars through business

Security experts hired by *The Times* to detect and block the computer
attacks gathered digital evidence that Chinese hackers, using methods that
some consultants have associated with the Chinese military in the past,
breached *The Times*'s network. They broke into the e-mail accounts of its
Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen's
relatives, and Jim Yardley, *The Times*'s South Asia bureau chief in India,
who previously worked as bureau chief in Beijing.  "Computer security
experts found no evidence that sensitive e-mails or files from the reporting
of our articles about the Wen family were accessed, downloaded or copied,"
said Jill Abramson, executive editor of *The Times*.

The hackers tried to cloak the source of the attacks on *The Times* by first
penetrating computers at United States universities and routing the attacks
through them, said computer security experts at Mandiant, the company hired
by *The Times*. This matches the subterfuge used in many other attacks that
Mandiant has tracked to China.

The attackers first installed malware - malicious software - that enabled
them to gain entry to any computer on *The Times*'s network. The malware was
identified by computer security experts as a specific strain associated with
computer attacks originating in China. More evidence of the source, experts
said, is that the attacks started from the same university computers used by
the Chinese military to attack United States military contractors in the

Security experts found evidence that the hackers stole the corporate
passwords for every *Times* employee and used those to gain access to the
personal computers of 53 employees, most of them outside The Times's
newsroom. Experts found no evidence that the intruders used the passwords to
seek information that was not related to the reporting on the Wen family.
No customer data was stolen from *The Times*, security experts said.

  [Long but very worthy article truncated for RISKS.  Steve Summit picked
  up on one paragraph that I deleted, below.  PGN]

Infiltrate anybody, one-click easy

Steve Summit
Sat, 02 Feb 2013 05:52:42 -0800
Attackers—allegedly from China—infiltrate the editorial offices of
the New York Times for several months:

One point particularly stands out for me:

  "Investigators [...] suspect the hackers used a so-called spear-phishing
  attack, in which they send e-mails to employees that contain malicious
  links or attachments.  All it takes is one click on the e-mail by an
  employee for hackers to install 'remote access tools'—or RATs."

I'm afraid I know the answer(s), but I have to ask: why in the world do we
put up with this?  What once was unthinkable—what amounts to remote
execution of untrusted code on any machine, essentially at will—is
routine.  (And, yes, I understand that what's typically going on is not
direct execution of simple .exe-format attachments, but rather exploitation
of bugs in complex but popular attachment-handling programs such as Acrobat
and Flash, but the net effect would seem to be exactly the same.)  The
too-familiar entreaties to users to "be careful of clicking on suspicious
attachments" do not and cannot work, but it's almost as if we've decided
those entreaties are all we can do, that any technological fixes in parallel
-- such as closing the holes in those attachment-handling programs once and
for all, or replacing them with inherently more secure approaches—are

"U.S. Said to Be Target of Massive Cyber-Espionage Campaign" (Ellen Nakashima)

ACM TechNews <technews@HQ.ACM.ORG>
Mon, 11 Feb 2013 12:30:27 -0500
Ellen Nakashima, *The Washington Post*, 10 Feb 2013
[via ACM TechNews, Monday, February 11, 2013]

The United States is the target of a massive, sustained cyber-espionage
campaign that threatens the country's economic competitiveness, according to
the National Intelligence Estimate (NIE).  The report identifies China as
the most aggressive country in trying to penetrate U.S. computer systems,
although Russia, Israel, and France also were cited as having engaged in
hacking for economic intelligence.  Cyber-espionage increasingly is
threatening the U.S.'s economic interests and the Obama administration is
looking for ways to counter the online theft of trade secrets.  "We need the
NIE on cyber for a systematic and comprehensive understanding of what the
most dangerous technologies are, who are the most threatening actors, and
what are our greatest vulnerabilities," says former deputy defense secretary
William J. Lynn III.  A majority of China's cyberattacks are thought to be
aimed at commercial targets with ties to military technology.  "The problem
with foreign cyber-espionage is not that it is an existential threat, but
that it is invisible, and invisibility promotes inaction," according to a
former government official.  "It's fair to say we're already living in an
age of state-led cyberwar, even if most of us aren't aware of it," says
Google CEO Eric Schmidt.

Visa suspicious activity

<Leslie Maltz>
Monday, January 28, 2013
This afternoon for at least 4 hours, Visa was denying purchases for
thousands of cardholders.  Visa claimed they had a system meltdown. I
watched as someone was turned down on a minimal purchase using a VISA
obtained through Barclay's Bank.  When on the phone with Visa customer
service, all they would admit was "all" their systems were down all
afternoon and that they were getting thousands of calls from customers.

All this sounds very suspicious.  Perhaps someone from IP knows more about
the problem and whether it was a real system failure or a denial of service
attack or some other hack.

Password Cracking AES-256 DMGs and Epic Self-Pwnage (Jeremiah Grossman)

Monty Solomon <>
Sun, 10 Feb 2013 12:28:23 -0500
Jeremiah Grossman, WhiteHat Security Blog, 7 FEB 2013

Two weeks ago I was in the midst of a nightmare. I'd forgotten a
password. Not just any password. THE password. Without this one password I
was cryptographically locked out of thousands and gigabytes worth of files I
care about. Highly sensitive and valuable files that include work documents,
personal projects, photos, code snippets, notes, family stuff, etc. The
password in question unlocks these files from the protection of locally
stored AES-256 encrypted disk image. A location where an "email me a
password reset link" is not an option. File backups? Of course! Encrypted
the same way with the same password. Password paper backup? Nope. I'll get
to that. I somehow needed to "crack" this password. If not, the amount of
epic self-pwnage would be too horrible to imagine.

Before sharing how I got myself into this predicament, it's necessary to
reveal some details about my personal computer security habits.  More
specifics than I'm normally comfortable sharing. ...

Security Firm Bit9 Hacked, Used to Spread Malware Security Firm Bit9 Hacked, Used to Spread Malware

Lauren Weinstein <>
February 8, 2013 6:17:30 PM EST  (Krebs via NNSquad)

  "Bit9, a company that provides software and network security services
   to the U.S. government and at least 30 Fortune 100 firms, has suffered
   an electronic compromise that cuts to the core of its business:
   helping clients distinguish known "safe" files from computer viruses
   and other malicious software.  Waltham, Massachusetts-based Bit9 is a
   leading provider of "application whitelisting" services, a security
   technology that turns the traditional approach to fighting malware on
   its head. Antivirus software, for example, seeks to identify and
   quarantine files that are known bad or strongly suspected of being
   malicious. In contrast, Bit9 specializes in helping companies develop
   custom lists of software that they want to allow employees to run, and
   to treat all other applications as potentially unknown and dangerous.
   But earlier today, Bit9 told a source for KrebsOnSecurity that their
   corporate networks had been breached by a cyberattack. According to
   the source, Bit9 said they'd received reports that some customers had
   discovered malware inside of their own Bit9-protected networks,
   malware that was digitally signed by Bit9s own encryption keys."

"Researchers devise new attack techniques against SSL" (Lucian Constantin)

Gene Wirchenko <>
Thu, 07 Feb 2013 12:46:32 -0800
Lucian Constantin, IDG News Service, *InfoWorld*, 06 Feb 2013

Almost all libraries used for implementing some of the Internet's most
important security protocols are likely to be vulnerable to the new 'Lucky
Thirteen' attacks

Deloitte predicts that in 2013 more than 90 percent of user-generated passwords will be vulnerable to hacking

Jim Reisert AD1C <>
Thu, 7 Feb 2013 16:43:37 -0700
  "Deloitte predicts that in 2013 more than 90 percent of user-generated
  passwords, even those considered strong by IT departments, will be
  vulnerable to hacking. Inadequate password protection may result in
  billions of dollars of losses, declining confidence in Internet
  transactions and significant damage to the reputations of the companies
  compromised by attacks. As the value of the information protected by
  passwords continues to grow, attracting more hack attempts, high-value
  sites will likely require additional forms of authentication."

I wonder what is considered "user-generated?"  Because I use LastPass
to generate random 8-character passwords for all my accounts, are
these considered to be user-generated?  I know sites that won't even
let you have a password more than 8 characters long.  I better go to
12 characters moving forward.

Jim Reisert AD1C, <>,

  [I suspect `user-generated' is intended to mean ones you generate yourself
  without supposedly clever tools.  But if you are using well-known
  supposedly clever tools predictably, that may be riskful as well,
  or may be irrelevant if your passwords have been sniffed—perhaps
  even as they are generated...  PGN]

"Canadian business and technology associations oppose anti-spam regulations"

Gene Wirchenko <>
Thu, 07 Feb 2013 10:26:44 -0800
Brian Jackson, A group of 13 associations say the proposed regulations for
Canada's anti-spam law go too far, *IT Business*, 6 Feb 2013

opening paragraph:

A list of 13 business and technology associations in Canada are using the
opportunity to comment on the proposed anti-spam regulations to fight for
the right to put spyware on your computer and mobile devices, according to
one Internet law expert.

"Data breach exposes Energy Department's 'continuing story of negligence'"

Gene Wirchenko <>
Tue, 05 Feb 2013 09:37:32 -0800
InfoWorld, 5 Feb 2013
U.S. Department of Energy claims no classified info was stolen by
hackers, just personal data belonging to employees

"9 iPhone and iPad apps that invade your privacy, and 1 that doesn't" (Tom Kaneshige)

Gene Wirchenko <>
Mon, 04 Feb 2013 09:36:52 -0800
Tom Kaneshige, CIO, *InfoWorld*, 2 Feb 2013
Most iPhone and iPad apps appear harmless and fun, but some are
virtual Trojan horses that swipe personal data when you're not looking

Mandatory Black Boxes in Cars

Nate Cardozo EFF Press <>
February 11, 2013 5:53:32 PM EST
Nate Cardozo
 Staff Attorney
 Electronic Frontier Foundation
 +1 415 436-9333 x146

Mandatory Black Boxes in Cars Raise Privacy Questions
EFF Urges Strict Rules to Protect Drivers' Data

San Francisco - The Electronic Frontier Foundation (EFF) urged the National
Highway Traffic Safety Administration (NHTSA) today to include strict
privacy protections for data collected by vehicle "black boxes" to protect
drivers from long-term tracking as well as the misuse of their information.

Black boxes, more formally called event data recorders (EDRs), can serve a
valuable forensic function for accident investigations, because they can
capture information like vehicle speed before the crash, whether the brake
was activated, whether the seat belt was buckled, and whether the airbag
deployed.  NHTSA is proposing the mandatory inclusion of black boxes in all
new cars and light trucks sold in America.  But while the proposed rules
would require the collection of data in at least the last few seconds before
a crash, they don't block the long-term monitoring of driver behavior or the
ongoing capture of much more private information like audio, video, or
vehicle location.

"The NHTSA's proposed rules fail to address driver privacy in any meaningful
way," said EFF Staff Attorney Nate Cardozo.  "These regulations must include
more than minimum requirements of what should be collected and stored --
they need a reasonable maximum requirement as well."

The current NHTSA proposal mandates a boilerplate notice to consumers that
"various systems" are being monitored.  The plan also calls for a commercial
tool to be made available to allow user access to black box data.  In its
comments submitted to the NHTSA today, EFF calls for complete and
comprehensive disclosure of data collection as well as a free and open
standard to access black box information.

"The information collected by EDRs is private and must remain private until
the car owner consents to its use," said Cardozo.  "Consumers deserve full
disclosure of what is being collected, when, and how, as well as an easy and
free way of accessing this data on their own.  Having to buy access to your
own data is not reasonable. "

In addition to submitting its own comments to the NHTSA today, EFF also
joined the Electronic Privacy Information Center and a broad coalition of
privacy, consumer rights, and civil rights organizations in comments urging
the NHTSA to adopt specific, privacy-protecting amendments to its proposed

For EFF's full comments submitted to the NHTSA:

For this release:

About EFF

The Electronic Frontier Foundation is the leading organization protecting
civil liberties in the digital world. Founded in 1990, we defend free speech
online, fight illegal surveillance, promote the rights of digital
innovators, and work to ensure that the rights and freedoms we enjoy are
enhanced, rather than eroded, as our use of technology grows. EFF is a
member-supported organization.  Find out more at

Apparent issue with Facebook Connect is dragging people from around the web to a moot error page

Lauren Weinstein <>
Thu, 7 Feb 2013 16:31:49 -0800
  "The URL is garbled, but given the plethora of sites that you can hit to
  reach this page, TNW is laboring under the presumption that Facebook
  Connect is to blame. When you hit the blue 'Okay' button, you will be
  taken to a blank screen. If you hit the back button, the page you had
  wished to be on will be served to you, but only until the problem kicks
  back in and Facebook takes you hostage again.  This is no small
  issue. Facebook is dragging people from other sites, to its own website,
  where it puts them into the above penalty box for no clear reason. Given
  the number of first-hand reports that TNW received on Twitter, this issue
  could affect millions the world around. The disruption that Facebook is
  currently causing could cost its partners big ad dollars.  Feel free to
  list sites that you are seeing the problem with in the comments. Keith
  Plocek on Twitter dubbed the situation "Facebookmageddon." Not unfitting,
  frankly."  (*The Next Web* via NNSquad)

Did Facebook Just Break Half the Internet?

Lauren Weinstein <>
Thu, 7 Feb 2013 17:22:55 -0800  (Gawker via NNSquad)

  "UPDATE: Facebook responded with the following statement: For a short
  period of time, there was a bug that redirected people logging in with
  Facebook from third party sites to The issue was quickly
  resolved, and Login with Facebook is now working as usual.  We've asked
  for more information. But in the meantime, it's good to know one small
  glitch at Facebook can effectively disable the entire Internet by
  redirecting it to their site."

Why worry about terrorist attacks disrupting the Net when you've already got

  [PGN notes Lots of other items contributed on this incident.
  Gabe Goldberg noted
    Facebook and Instagram Users Asked To Upload IDs To Regain Access

  Gene Wirchenko noted Ted Samson, *InfoWorld*, 8 Feb 2013,
    Facebook error that hijacks thousands of websites isn't just an
  and also Roger A. Grimes, *InfoWorld*, February 12, 2013

"How Facebook Connect took down the Web" (Peter Wayner)

Gene Wirchenko <>
Wed, 13 Feb 2013 10:55:28 -0800
Peter Wayner, *InfoWorld*, 12 Feb 2013
Web hijacking wrought by Facebook Connect shows that both sites and
users may be ceding too much control to Facebook

Read this book by Ross Anderson. It's free.

Rob Slade <>
Mon, 4 Feb 2013 15:44:58 -0800
I have been reviewing security books for over twenty years now.  When I
think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson
first published "Security Engineering" I was delighted to be able to tell
everyone that it was a worthwhile read.  If you are, in any way, interested
in, or working in, the field of security, there is something there for you.
Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and
then published the second edition, I was delighted to be able to tell
everyone that they should buy the second edition, but, if they didn't trust
me, they should read the first edition free, and then buy the second edition
because it was even better.

Now Ross has made the second edition available, online, for free:

Everyone should read it, if they haven't already done so.
(I am eagerly awaiting the third edition  :-)

FOSE 2013

"Sarah Kneip" <>
Thu, 14 Feb 2013 06:37:47 -0800
FOSE (Federal Office Systems Exposition)( is the
largest, most comprehensive event serving the government technology
community.  With a robust three-day program consisting of Keynote Speakers,
Educational Sessions, Government Tech Talks, New Product/Solution Showcases
and an App Arcade, FOSE is a must-attend event for the government technology
community.  From 14--16 May 2013, thousands of attendees will experience a
broad range of technologies including: enterprise, infrastructure, workplace
and mobile that are targeted to the specialized regulatory, security and
mission needs of government agencies.

Please report problems with the web pages to the maintainer