The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 22

Saturday 23 March 2013

Contents

Small furry animals and slithering snakes vs Electric Utilities
Ishikawa
Panama Canal Railway upgrade problems
Robert Heuman
National Vulnerability Database is hacked!
Mark Thorson
Re: Weapons Experts Raise Doubts About Israel's Antimissile System
Amos Shapir
Feds announce massive scanning of private Internet communications
Lauren Weinstein
Google's trust problem
Ezra Klein via Dewayne Hendricks
"Smile, you're on Google Glass, whether you like it or not"
Caroline Craig via Gene Wirchenko
"Andrew Auernheimer joins growing list of so-called hackers facing harsh justice"
Ted Samson via Gene Wirchenko
Security hole lets Apple passwords be reset with e-mail addr, DoB
Chris Welch via Jim Reisert
Re: Electronic health records: teething problems?"
William Pociengel
Re: Mars Rover is Repaired, NASA Says
William Pociengel
Re: Fake silicone fingers strike again
Amos Shapir
Re: Attorney General's testimony on Aaron Swartz raises more ...
Wol
Microwave oven interference robustness mode
Jidanni
Info on RISKS (comp.risks)

Small furry animals and slithering snakes vs Electric Utilities

ishikawa <ishikawa@yk.rim.or.jp>
Fri, 22 Mar 2013 14:39:12 +0900
In the never-ending saga of small furry animals and slithering snakes vs
electric utilities, here is the latest and more horrifying incident.

Martin Fackler, Fukushima Blackout Hints at Plant's Vulnerability, *The
New York Times*, 19 Mar 2013
  http://www.nytimes.com/2013/03/20/world/asia/blackout-halts-cooling-system-at-fukushima-plant.html

Martin Fackler, Rat Body Linked to Blackout at Atomic Site, *The New York
  Times*, 20 Mar 2013
 http://www.nytimes.com/2013/03/21/world/asia/rat-at-fukushima-plant.html

A lot of Japanese must have gone through uncomfortable moments.  Initially,
when I learned that there was a re-wiring work was going on, I thought there
was some type of human error. Now a rodent is implicated.

In either case, TEPCO is losing public trust, well, at least from me.  If an
important piece for feeding electricity is not protected from a rodent, how
can we tell the piece won't fall down or break down if another reasonably
large earthquake hits the area (and this is no idle threat in Japan, the
virtually the busiest center of earthquakes in the world.)

I would not mind losing electricity for my home for a few hours or even half
a day after a big earthquake. That is life in this corner of the world. Many
households in Japan stock water/food/battery, etc. just in case. We can't
argue with earthquakes as the saying goes here. (The other two, we can't
argue in the saying are thunderbolts, and one's father.)

But a crippled nuclear reactor site with many used fuel rods that requires
continuous cooling needs better care than typical households.

BTW, I found a few similar incidents in RISKS:

 RISKS-8.75   SRI attacked by kamikaze squirrels?
 RISKS-8.77   Re: Power outages
              (A raccoon hit U. of Utah and disturbed a
              room-temperature fusion experiment, and it was mentioned
              that JPL had seen similar attacks, er, incidents. )
 RISKS-18.52  Rats take down Stanford power and Silicon Valley Internet service
 RISKS-19.88  Japanese snake vs. railroad electrical supply
 RISKS-23.39  Boa triggers blackout in Honduras
              (Nation-wide blackout for 15 minutes! Beat other animals to
              date in the scale of the incident.)

I thought that utility companies would have learned from these off-angle
attacks from the nature by now.


Panama Canal Railway upgrade problems

"R.S. (Bob) Heuman" <robert.heuman@alumni.monmouth.edu>
Sat, 23 Mar 2013 19:38:20 -0400
Reuters (Panama City), 22 Mar 2013
http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323

Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday.  The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway.  But a computer upgrade on Wednesday by Panama
Ports Co, which manages two of those ports, caused severe lags, Kenna said.

Since then, the railway has moved only about 350 containers a day.
Traffic picked up on Friday, and the system should be operating normally
by Monday, Kenna added.


National Vulnerability Database is hacked!

Mark Thorson <eee@sonic.net>
Thu, 21 Mar 2013 16:53:56 -0700
Their server is offline due to malware infection.  They probably clicked on
an ad in an e-mail.  The exploit used a vulnerability in Adobe's ColdFusion
software.

http://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/


Re: Weapons Experts Raise Doubts About Israel's Antimissile System (RISKS-27.21)

Amos Shapir <amos083@gmail.com>
Sun, 24 Mar 2013 01:02:09 +0200
The following article by the Israel Institute for National Security Studies
contains a detailed debunking of the arguments used by some of the
researches which had produced these results.  It seems to be a yet another
case of "how to lie with statistics"...
http://www.inss.org.il/publications.php?cat!&incat=&read166


Feds announce massive scanning of private Internet communications

Lauren Weinstein <lauren@vortex.com>
Thu, 21 Mar 2013 20:39:59 -0700
http://j.mp/Z5d4TP  (Google+ via NNSquad)
http://j.mp/11n0qzS (Reuters / New York Times)

  "Under the program, critical infrastructure companies will pay the
  providers, which will use the classified information to block attacks
  before they reach the customers. The classified information involves
  suspect web addresses, strings of characters, e-mail sender names and the
  like."

Here we go!  It's out in the open at last.  Encrypt deeply now, or forever
hold your peace. CHARACTER STRINGS? EMAIL SENDER NAMES?  Who do they think
they're kidding?


Google's trust problem (Ezra Klein)

<Dewayne Hendricks>
Friday, March 22, 2013
Ezra Klein, *The Washington Post*, 21 Mar 2013
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/03/21/googles-trust-problem/

James Fallows likes software meant to help him organize and simplify his
life. So, naturally, he moved immediately to download Google Keep, the
search giant's “new app for collecting notes, photos, and info.''  The
problem, Fallows quickly realized, is that he wasn't sure he could trust it.

Google now has a clear enough track record of trying out, and then
canceling, `interesting' new software that I have no idea how long Keep will
be around. When Google launched its Google Health service five years ago, it
had an allure like Keep's: here is the one place you could store your
prescription info, test readings, immunizations, and so on and know that you
could get at them. That's how I used it—until Google canceled this
`experiment' last year. Same with Google Reader, and all the other products
in the Google Graveyard that Slate produced last week.

And if there's even a 25 percent chance that Google Keep will be canceled
in two years, do you really want to be the sucker who spent endless hours
organizing your life around it?

Now, most people don't use Google Reader, or even know it's being canceled.
Same for Google Wave, Google Buzz, Google Health and Picnik, and all the
rest of the beloved little apps that have been sent to that cloud above the
cloud, where data is stored forever and servers never overload. This is a
pained whine emanating almost exclusively from Google power users.

Most people, however, also aren't the sort of early adopters who will rush
to download Google Keep. But Fallows is that kind of early adopter. So am
I. And Google needs early adopters. They need weirdos to rush to download
their new apps, try them out, offer feedback, and, ultimately, proselytize
to their friends. And I do all that! For instance, have you ever tried using
Sleep Cycle? This isn't an early adopter thing—the app has been around
for awhile—but I just started using it and am now annoying everyone I
know badgering them to try waking up to Sleep Cycle. It'll change your life.

But I'm not sure I want to be a Google early adopter anymore. I love Google
Reader. And I used to use Picnik all the time. I'm tired of losing my
services.

In fact, I'm starting to worry a bit about Gmail, which is at the core of
pretty much my entire life. I know, I know—Gmail is safe. The data it
feeds into the Google mainframe is extremely valuable to the search giant.
They won't let anything happen to it.

But I'm a heavy user of Gmail. And so I've been buying more space on
Google's servers. Recently, I hit 30 gigs—and learned Google won't let me
purchase any more room. The service which once swore I'd never have to
delete a message now tells me my only option is to delete gigabyte after
gigabyte of past e-mails.

That's their right, of course. But it was a reminder that Google's core
business isn't running an e-mail system or selling data storage. The thing
I wanted to pay them to do wasn't something they make much money off. So
now I'm a bit nervous: I freed up a good number of gigabytes, but now I've
run through much of the low-hanging fruit, and the bar measuring how far I
am from my storage unit is beginning to tick up again.

The problem, I'm beginning to think, is simply mismatch. The core services
of Google's business are often not the Google services I rely on most. And
even when their core products and my needs do meet, the business connection
is indirect. ...

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


"Smile, you're on Google Glass, whether you like it or not" (Caroline Craig)

Gene Wirchenko <genew@telus.net>
Mon, 18 Mar 2013 10:14:31 -0700
Caroline Craig, InfoWorld, 15 Mar 2013
Google Glass's style points are debatable, but one thing's for sure:
Data collection and user privacy will never be the same
http://www.infoworld.com/t/internet-privacy/smile-youre-google-glass-whether-you-it-or-not-214568


"Andrew Auernheimer joins growing list of so-called hackers facing harsh justice" (Ted Samson)

Gene Wirchenko <genew@telus.net>
Tue, 19 Mar 2013 11:13:37 -0700
Ted Samson, InfoWorld, 18 Mar 2013
The 26-year-old security researcher sentenced to 41 months in prison
for pulling e-mail address from public-facing server
http://www.infoworld.com/t/hacking/andrew-auernheimer-joins-growing-list-of-so-called-hackers-facing-harsh-justice-214742


Security hole lets Apple passwords be reset with e-mail addr, DoB (Chris Welch)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 22 Mar 2013 14:11:11 -0600
Chris Welch, 22 Mar 2013  @chriswelch

"Apple yesterday rolled out two-step verification, a security measure that
promises to further shield Apple ID and iCloud accounts from being
hijacked. Unfortunately, today a new exploit has been discovered that
affects all customers who haven't yet enabled the new feature. It allows
anyone with your e-mail address and date of birth to reset your password --
using Apple's own tools. We've been made aware of a step-by-step tutorial
(which remains available as of this writing) that explains in detail how to
take advantage of the vulnerability.  The exploit involves pasting in a
modified URL while answering the DOB security question on Apple's iForgot
page. It's a process just about anyone could manage, and The Verge has
confirmed the glaring security hole firsthand."

http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth


Re: Electronic health records: teething problems?" (RISKS-27.18)

William Pociengel <wpociengel@yahoo.com>
Fri, 22 Mar 2013 14:20:05 -0500
Actually you just need to use a screen name and something that looks like a
valid e-mail address. It accepts and posts your comment; but yes it is a bit
odd to request an e-mail address.


Re: Mars Rover is Repaired, NASA Says (Re: RISKS-27.21)

William Pociengel <wpociengel@yahoo.com>
Fri, 22 Mar 2013 08:37:08 -0500
Since when did NASA stop using 3 computers for deep space exploration?  They
always used to have every critical system in 3's for this very reason.


Re: Fake silicone fingers strike again (RISKS-27.21)

Amos Shapir <amos083@gmail.com>
Fri, 22 Mar 2013 11:32:33 +0200
It is amazing that the system would be vulnerable to this attack, especially
since the vulnerability has been suggested long before such systems have
even existed.  In his movie Sleeper, released in 1973, Woody Allen employs
exactly this method to subvert a fingerprint scanning system; I'm quite sure
he was not the first to suggest it either.


Re: Attorney General's testimony on Aaron Swartz raises more ...

Wol <antlists@youngman.org.uk>
Fri, 22 Mar 2013 15:27:32 +0000
It's interesting to see how other jurisdictions handle this.

There's been a recent case in the UK where the prosecutor did this (quote a
maximum sentence). And on appeal this was all the justification the appeal
court needed to throw a guilty plea out of the window and overturn the
entire court-martial.

The message is clear. In the UK this is totally unacceptable practice.


Microwave oven interference robustness mode

<jidanni@jidanni.org>
Sat, 23 Mar 2013 10:30:41 +0800
The IEEE 802.11 committee that developed the Wi-Fi specification conducted
an extensive investigation into the interference potential of microwave
ovens.  A typical microwave oven uses a self-oscillating vacuum power tube
called a magnetron and a high voltage power supply with a half-wave
rectifier (often with voltage doubling) and no DC filtering. This produces
an RF pulse train with a duty cycle below 50% as the tube is completely off
for half of every AC mains cycle: 8.33 ms in 60 Hz countries and 10 ms in 50
Hz countries.

This property gave rise to a Wi-Fi "microwave oven interference robustness"
mode that segments larger data frames into fragments each small enough to
fit into the oven's "off" periods.

http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven

Please report problems with the web pages to the maintainer

Top