The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 43

Tuesday 27 August 2013

Contents

Nasdaq Market Overcomes Trading Failure
Nathaniel Popper
NZ Inland Revenue system: Watch this space
Richard A. O'Keefe
Key emergency notification system, NOAA's "All Hazards Radio" DOWN
Danny Burstein
Zuckerberg's Facebook page hacked to prove security flaw
Lauren Weinstein
Facebook: Governments Demanded Data on 38K Users
Matt Apuzzo via Dewayne Hendricks
Feds Back Away From Forced Decryption—For Now
David Kravets via Dewayne Hendricks
China suffers 'largest' cyberattack; Censorship makes it difficult to gauge attack scope
Lauren Weinstein
"Zombie scripts can attack at any time"
Paul Venezia via Gene Wirchenko
Novopay subcontractor bought by reviewer
Richard A. O'Keefe
"'Jekyll' test attack sneaks through Apple App Store, wreaks havoc on iOS"
John Cox via Gene Wirchenko
"The devil is in the subscription-licensing details"
RL Mitchell via GW
"Ramnit Financial Malware Now Aimed at Steam Gamers"
Chris Paoli via GW
"Don't fall prey to ad networks peddling dicey links"
Roger A. Grimes via GW
"Would Transparency by Feds Ease Fears Over Cloud Surveillance?"
GW
Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents
David Lesher
Carlos G Mendioroz
Re: Risks to NYC Bike Share
George Neville-Neil
Re: Easter Eggs in Infrastructure Software
David A. Lyons
Info on RISKS (comp.risks)

Nasdaq Market Overcomes Trading Failure

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 22 Aug 2013 15:39:26 PDT
Nathaniel Popper, *The New York Times*, 22 Aug 2013
http://dealbook.nytimes.com/2013/08/22/nasdaq-market-halts-trading/

Trading in a wide array of stocks, including popular ones like Apple and
Microsoft, ground to a halt on 22 Aug 2013 after a technology problem at the
Nasdaq stock exchange.  It was the latest prominent disruption in the
markets caused by computer glitches.


NZ Inland Revenue system: Watch this space

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Fri, 23 Aug 2013 17:00:45 +1200
The current New Zealand Inland Revenue Department is 40 million lines of
COBOL and DMSII and who-knows-what which has been stretched far past its
original design.  I am by background and inclination in roughly the same
political camp as say I. F. Stone, but in the case of a computer system like
this it is hard to argue with small-government conservatives who claim that
the tax system should be simplified.  A simpler system is not necessarily
one that is unfair to workers, after all.

  “[The] system has been transformed over the years from a tax system
  collecting only income and company tax, to one which covers child support,
  ... student loans, ...  Kiwisaver [a retirement scheme], and Working for
  Families.''
http://www.stuff.co.nz/national/politics/8619006/IRD-computer-systems-1-5b-overhaul

The Cabinet approved what has been described as a "major overhaul" but
sounds more like a total rewrite.  The project is supposed to take 10 years,
and to cost a milliard dollars, although they're allowing for one and a half
milliard.  To put this in perspective, the population of the country is
about 4.5 million, so the annual spend will be 22 to 34 dollars per man,
woman, and child per year.

Several people are freaking out about the big number, but
        40,000,000 lines of code
* 20 lines of tested working documented code/day
      = 2,000,000 programmer-days
* 200 work-days per year
     = 10,000 programmer work-years
* $100,000 salary and overheads per programmer year
     = $1,000,000,000 (one milliard)
equivalent must have been spent building the old system—using some very
crude estimates I don't care to justify—so the expected cost of the new
system is not out of line.

Nonetheless, slouching your way to Bedlam one new feature request at a time
is one thing, *intending* to go there is quite another.  It would make a
huge amount of sense spending a full year of design trying to reduce the
size of the planned system (whatever they think the size will be), but it
will take a special miracle from St Thomas More to make _that_ happen.

Expect to hear interesting things about this.


Key emergency notification system, NOAA's "All Hazards Radio" DOWN

danny burstein <dannyb@panix.com>
Sun, 18 Aug 2013 21:06:01 -0400 (EDT)
The National Oceanic and Atmospheric Administration (NOAA) has operated a
nationwide network of radio transmitters providing full time weather reports
and forecasts for decades now, dating back to their "Weather Bureau" days.

As I wrote in my note to RISKS back in Oct 2005 [a], where I discussed the
lack of backup power to many of their facilities:

  "These stations are part of the _real_ emergency network and are supposed
  to stay up after anything short of a direct nuclear hit."

There are numerous radio receivers that can pick up these stations, with
many of them in a "silent/squelch mode" until activated.

In case of a local hazardous/emergency situation such as a hurricane,
tornado, flood, chemical spill, nuclear reactor plant breach, or.. national
events up to and including nuclear attack, the transmitters send out an
alert tone which "unlocks" the receivers and activates the loudspeakers.

Hence just about every "911 PSAP" (public safety answering position),
utility headquarters, transit operations center, many tv/radio stations,
and... thousands and thousands of people living in tornado/hurricane/flood
zones, have these radios. Hence it's critical that the system stay up.

Recently friends of mine in NYC noted that the local station, covering
perhaps 15 million people, was repeatedly off the air for the past two
months.

Finally, after many complaints to NOAA, they posted a note on their
"outages" web page confirming the problem. And then, a few days later, came
up with the startling reason that...

(quoting from the page [b]):

  SPECIAL NOTICE
  NEW YORK CITY, NY Transmitter (KWO35)
  Frequency 162.550

  Due to interference issues with the U.S. Coast Guard, the New York City
  transmitter has been temporarily taken out of service while a solution is
  being formulated.

Yes. Really.

The Big Problem here (aside from the lack of urgency by all the folk
involved) is that many, make that MANY, people and agencies are counting on
this working. Folk using the radios in "squelch" (silent) mode are relying
on them to "open up" in an emergency, yet have no way to know the system is
dead.

It's kind of like relying on your overhead sprinklers and not knowing that
the main water valve is off.

[a] http://catless.ncl.ac.uk/Risks/24.07.html#subj4

[b] http://www.nws.noaa.gov/nwr/outages.php

- since the NOAA outage page is dynamic and, hopefully, real soon now, will
  change when the system is finally fixed, I've mirrored that image up at:

    http://www.dburstein.com/images/noaa-tx.png


Zuckerberg's Facebook page hacked to prove security flaw

Lauren Weinstein <lauren@vortex.com>
Mon, 19 Aug 2013 10:09:44 -0700
  A Palestinian researcher posted a message on Facebook CEO Mark
  Zuckerberg's page last week after he says the site's security team didn't
  take his warnings about a security flaw seriously.  "First, sorry for
  breaking your privacy and post(ing) to your wall," wrote Khalil
  Shreateh. "I (have) no other choice to make after all the reports I sent
  to (the) Facebook team."  Shreateh, who describes himself as an unemployed
  security researcher with a degree in information systems, said he found a
  hole in Facebook's systems that let him post to any user's page, including
  users not on his Friends list.  Such an exploit would be a virtual gold
  mine for spammers, scam artists and others seeking to take advantage of
  the site's roughly 1 billion users worldwide.
    http://j.mp/14PQL4t  (CNN via NNSquad

  [See also "Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt"
  (Robert X. Cringely), InfoWorld, 19 Aug 2013.  PGN via GW]
http://www.infoworld.com/t/cringely/hacker-i-pwned-zuckerberg-least-give-me-stupid-t-shirt-225135


Facebook: Governments Demanded Data on 38K Users (Matt Apuzzo)

Dewayne Hendricks <dewayne@warpspeed.com>
August 27, 2013 12:32:01 PM EDT
Matt Apuzzo, Associated Press, 27 Aug 2013
http://hosted.ap.org/dynamic/stories/U/US_FACEBOOK_LAW_ENFORCEMENT

WASHINGTON (AP)—Government agents in 74 countries demanded information on
about 38,000 Facebook users in the first half of this year, with about half
the orders coming from authorities in the United States, the company said
Tuesday.

The social-networking giant is the latest technology company to release
figures on how often governments seek information about its
customers. Microsoft and Google have done the same.

As with the other companies, it's hard to discern much from Facebook's data,
besides the fact that, as users around the globe flocked to the world's
largest social network, police and intelligence agencies followed.

Facebook and Twitter have become organizing platforms for activists and, as
such, have become targets for governments. During anti-government protests
in Turkey in May and June, Turkish Prime Minister Recep Tayyip Erdogan
called social media "the worst menace to society."

At the time, Facebook denied it provided information about protest
organizers to the Turkish government.

Data released Tuesday show authorities in Turkey submitted 96 requests
covering 173 users. Facebook said it provided some information in about 45
of those cases, but there's no information on what was turned over and why.

"We fight many of these requests, pushing back when we find legal
deficiencies and narrowing the scope of overly broad or vague requests,"
Colin Stretch, Facebook's general counsel company said in a blog post. "When
we are required to comply with a particular request, we frequently share
only basic user information, such as name."

Facebook spokeswoman Sarah Feinberg said the company stands by its
assertions that it gave no information regarding the Turkey protests.

"The data included in the report related to Turkey is about child
endangerment and emergency law enforcement requests," she said. ...


Feds Back Away From Forced Decryption—For Now (David Kravets)

Dewayne Hendricks <dewayne@warpspeed.com>
August 27, 2013 7:46:19 AM EDT
David Kravets, *WiReD*, 27 Aug 2013 [PGN-ed]
http://www.wired.com/threatlevel/2013/08/forced-decryption-legal-battle/

Federal prosecutors have formally dropped demands that a child-porn suspect
give up his encryption keys in a closely watched case, but experts warn the
issue of forced decryption is very much alive and is likely to encompass a
larger swath of Americans as crypto adoption becomes mainstream. ...

The question of whether the government can force a suspect to decrypt hard
drives was thrust into the limelight earlier this year when federal
authorities suspected a Wisconsin man of downloading child pornography from
the file-sharing network e-Donkey. One federal judge ordered the defendant
to decrypt as many as nine hard drives seized from the suspect's suburban
Milwaukee apartment. Another judge put that decision on hold to analyze the
implications of whether the demand breached the Fifth Amendment right
against compelled self incrimination.

The hotly contested legal issue was mooted when prosecutors said the FBI
cracked two of the suspect's drives—both Western Digital My Book
Essentials.  They announced they found kiddie-porn images and days ago
dropped their forced-decryption legal battle. It's allegedly enough illicit
porn to put Feldman away for decades, if he's found guilty. ...

Wes McGrew, a Mississippi State professor of computer security and reverse
engineering, suspected that authorities cracked Feldman's passwords,
rather than the underlying encryption, to decrypt the Western Digital
drives. ...

For the moment, requiring suspects to decrypt data is rare, and has never
been squarely addressed by the Supreme Court. ...

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>


China suffers 'largest' cyberattack; Censorship makes it difficult to gauge attack scope

Lauren Weinstein <lauren@vortex.com>
Mon, 26 Aug 2013 10:38:24 -0700
http://j.mp/143vBRf  (ZDNet via  NNSquad)

  "Many Chinese websites are down following what authorities are describing
  as the "largest denial-of-service attack" it has ever faced. But because
  of heavy Internet regulation and censorship, it's not clear to Western
  eyes how deep the attack went."

Rumor is that the attack is being attributed to the "Pekingese Liberation
Army."


"Zombie scripts can attack at any time"

Gene Wirchenko <genew@telus.net>
Mon, 26 Aug 2013 11:45:40 -0700
Paul Venezia, InfoWorld, 26 Aug 2013
Make no mistake, abandoned scripts and other IT zombies can make for
spirited problem solving
http://www.infoworld.com/d/data-center/zombie-scripts-can-attack-any-time-225426

selected text:

Lo and behold, I discovered more than 20,000 emails, the vast majority of
which were returns from a cronjob that someone else had implemented years
ago.  This cronjob was now failing, and the report the cronjob created
couldn't be delivered because the recipient domain no longer existed, and
the mailer error came back to me, the postmaster.


Novopay subcontractor bought by reviewer (Re: RISKS-27.36,39,40)

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Fri, 23 Aug 2013 17:42:49 +1200
Stephen Joyce issued the "Novopay Technical Review - Terms of Reference"

An anonymous report was issued on 19 Mar 2013.  The review was done by
Deloitte, under the direction of Murray Jack in his role as chairman of
Deloitte.  The subsequent Ministerial Inquiry into Novopay was headed by
Murray Jack in his role as a private individual.
http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewTermsOfReference.pdf
http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewFinalReport.pdf

According to the National Business Review, Deloite recently bought Asparona,
a development-on-Oracle company, and one of the subcontractors that did
software development work on Novopay.  In fairness to Asparona, the Novopay
shambles is a project management shambles, not a programming shambles as
such, and Asparona "were brought onboard ... *after* the Ministry of
Education" noticed things were going badly.
http://www.nbr.co.nz/article/deloitte-buys-novopay-subcontractor-no-open-ck-p-144414

Still:
 (1) The government paid Deloitte to examine Novopay.
 (2) Deloitte said it can be fixed and recommended throwing more money and
      people at it.
 (3) The government says "OK boss".
 (4) Deloitte bought the subcontractor.

I'm sure that this was all done according to the highest of business ethics
complete with Chinese walls, but at a minimum it seems as if Deloitte had a
taxpayer-subsidized opportunity to inspect Asparona that other conceivable
purchasers did not have.

The press seem to be reporting this just as an endorsement of how good
Asparona were.  Maybe I'm crazy to find this just a touch on the nose.


"'Jekyll' test attack sneaks through Apple App Store, wreaks havoc on iOS" (John Cox)

Gene Wirchenko <genew@telus.net>
Tue, 20 Aug 2013 17:40:11 -0700
John Cox, Network World, 19 Aug 2013
Like a Transformer robot, malicious Apple iOS app re-assembles itself
into an aggressive attacker running inside the iOS 'sandbox'
http://www.infoworld.com/d/security/jekyll-test-attack-sneaks-through-apple-app-store-wreaks-havoc-ios-225107


"The devil is in the subscription-licensing details" (RL Mitchell)

Gene Wirchenko <genew@telus.net>
Tue, 20 Aug 2013 19:50:55 -0700
  This is a resubmittal.  This item appeared in 27.42, but you did not
  include the URL.  GW  [Ooooops!  PGN]

Robert L. Mitchell, Computerworld, 13 Aug 2013
The devil is in the subscription-licensing details
The transition to cloud-based services is ratcheting up traditional
enterprise software costs and adding layers of complexity
http://www.infoworld.com/t/applications/the-devil-in-the-subscription-licensing-details-224737


"Ramnit Financial Malware Now Aimed at Steam Gamers" (Chris Paoli)

Gene Wirchenko <genew@telus.net>
Wed, 21 Aug 2013 14:24:26 -0700
Chris Paoli, *Redmond Magazine*, 21 Aug 2013
Ramnit Financial Malware Now Aimed at Steam Gamers
A variant of the popular "money in the bank" malware is now targeting
the largest online game distributor.
http://redmondmag.com/articles/2013/08/21/ramnit-financial-malware.aspx


"Don't fall prey to ad networks peddling dicey links" (Roger A. Grimes)

Gene Wirchenko <genew@telus.net>
Tue, 20 Aug 2013 17:26:16 -0700
Roger A. Grimes, InfoWorld, 20 Aug 2013
If your website accepts links from third parties—such as ad
networks—make sure they don't lead to malicious sites
http://www.infoworld.com/d/security/dont-fall-prey-ad-networks-peddling-dicey-links-225216


"Would Transparency by Feds Ease Fears Over Cloud Surveillance?"

Gene Wirchenko <genew@telus.net>
Mon, 19 Aug 2013 13:54:04 -0700
http://redmondmag.com/blogs/the-schwartz-report/2013/08/cloud-surveillance.aspx


Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents (RISK-27.41)

David Lesher <wb8foz@panix.com>
Mon, 19 Aug 2013 10:04:59 -0400
Decades ago, I recall the monster IBM 3800 laser printer on NASA-LeRC's 3033
had another subtle firmware/hardware bug. The 3800 served the entire lab,
and thanks to robust home-grown utilities [some written in Fortran..]  did
almost everything you needed, from correspondence on letterhead to memos to
graphs/charts.

But sometime it would, seemingly randomly, drop a whole line of text.

When Legal found out, they went into orbit. Thereafter, all legal documents
had to use the PRINT-90 utility; the theory being a missing column of text
would be far more obvious than a missing line.


Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents (RISK-27.41)

Carlos G Mendioroz <tron@huapi.ba.ar>
Sun, 18 Aug 2013 20:29:20 -0300
Already done, some 30 years ago. We had a document system that altered the
dot matrix definition of characters according to the user printing the
doc. Subtle, invisible to the naked eye...

Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina


Re: Risks to NYC Bike Share (RISKS-27.42)

George Neville-Neil <gnn@neville-neil.com>
Sun, 18 Aug 2013 22:53:56 -0400
Paul Schreiber <paulschreiber@gmail.com> wrote to me:

> In my experience, you can only press the wrench button immediately
> after returning a bicycle.

That may have (finally) been fixed but it was definitely not the case
when they started.  They claimed they were going to fix it, perhaps they did.


Re: Easter Eggs in Infrastructure Software (weather.gov), RISKS 27.41

"David A. Lyons" <dlyons@lyons42.com>
Sun, 18 Aug 2013 16:24:14 -0700
> The US National Weather Service's website <www.weather.gov> returns a
> forecast for Manhattan when the location "evil" is searched.  ... The
> risks? ... introduction of incorrect behavior into critical code, probably
> for the sake of a very bad taste "joke".

The result is puzzling and obscure, but perhaps not the result of a database
error or a joke.  The URL after the search is
<http://forecast.weather.gov/MapClick.php?lat@.764477&lon=-73.999121&site=all&smap=1&searchresult=Intrepid%20Sea%2C%20Air%20%26%20Space%20Museum%2C%20New%20York%2C%20NY%2010036%2C%20USA#.UhFWGVzTzUk>,
indicating the "Intrepid Sea, Air & Space Museum, New York, NY 10036, USA".

After further web searches, I see the museum features the USS Intrepid,
known as "the Evil I".
<http://www.homeandabroad.com/browse/details/sites.ha?mainInfoId 337>.

Please report problems with the web pages to the maintainer

Top