The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 87

Thursday 1 May 2014

Contents

LAX shut down because of "computer issues"
Paul Saffo
Computer fault causes delays at airports and sea ports
Chris J Brady
Consequences of privacy risks in social networks
Yvo Desmedt
Tax Fraud Gang Targeted Healthcare Firms
Jim Reisert
UPS hasn't found the package of clue yet
David Lesher
The risks of garbage collection delays
Steve Loughran
Re: Unintended Denial of Service by Banking Security
Toby Douglass
Re: It's Insanely Easy to Hack Hospital Equipment
Larry Sheldon
Re: Microsoft injects code into files backed up on their cloud
George Sicherman
When smart mail goes wrong ...
George Michaelson
Heartbleed as Metaphor
Dan Geer
Lessons from the ACM Risks Forum, Webinar with PGN
Yan Timanovsky
CfP: LASER 2014: Workshop on Learning from Authoritative Security Experiment Results
Jeremy Epstein
Info on RISKS (comp.risks)

LAX shut down because of "computer issues"

Paul Saffo <paul@saffo.com>
Wed, 30 Apr 2014 14:56:16 -0700
Eek!  I'll bet there are a whole bunch mad customers.

All Flights Grounded at LAX Due to `Computer Issues'
http://ktla.com/2014/04/30/all-flights-grounded-at-lax-due-to-computer-issues/#eGHVB3vHULCcuYSY.99

All flights were grounded at Los Angeles International Airport [on 30 Apr]
2014 afternoon due to `computer issues' the airport announced on Twitter.
The `ground stop; was announced by LAX on Twitter at 2:13 p.m., and it
referred questions to the Federal Aviation Administration, the agency that
issued the order.  The FAA did not immediately return a request for more
information.  The airport was accepting arrivals but flights cannot depart
from LAX, according to Amanda Parsons of the airport. She said the ground
stop began about 2 p.m.

When a ground stop is issued, flights bound for the affected airport are
held at their departing airport, according to the FAA website.

https://twitter.com/flyLAXairport/status/461614376311853059

Read more at
http://ktla.com/2014/04/30/all-flights-grounded-at-lax-due-to-computer-issues/#eGHVB3vHULCcuYSY.99


Computer fault causes delays at airports and sea ports

Chris J Brady <chrisjbrady@yahoo.com>
Thu, 1 May 2014 01:38:39 -0700 (PDT)
This computer glitch is the latest humiliation for the Home Office's
beleaguered UK Border Force—and the biggest disaster since the widespread
queue chaos before the 2012 Olympics.  Apparently it was the scanning of
passports that 'glitched.' The plan B was to enter details of passengers
into the computer system(s) by hand.  So, what went wrong?

http://www.bbc.co.uk/news/uk-27225649
http://www.dailymail.co.uk/news/article-2617136/Chaos-airports-Britain-IT-glitch-brings-immigration-passport-control-standstill.html


Consequences of privacy risks in social networks

Yvo Desmedt <Yvo.Desmedt@utdallas.edu>
Wed, 30 Apr 2014 09:41:30 -0500
We are very familiar with the privacy risks of using social networks.  What
is getting less attention is that the careless use of social networks may
have deadly consequences. I would classify these risks into two
categories. The first being a direct consequence of the user's own actions,
while the second is of indirect nature.

Social networks have promoted "selfies" (pictures of oneself). At least
three people have died lately by making selfies. One person made and
uploaded a selfie while driving. The lack of attention to traffic killed the
driver.  For more details see e.g.:
http://www.independent.co.uk/news/world/americas/selfie-crash-death-woman-dies-in-headon-collision-seconds-after-uploading-pictures-of-herself-and-happy-status-to-facebook-9293694.html

An attempt to take a selfie with an elephant in Kenya had deadly
consequences too, see:
http://www.tambaa.co.ke/news/292-selfie-moment-gone-tragic-elephant-tramples-on-two-teenagers-at-kiptagich-forest-nakuru-county
Although, the last accident may have occurred prior to the invention of
social networks, the same comment does not apply to the first incident.

Users of social networks may also endanger themselves indirectly. Instead of
putting themselves in a dangerous position in order to take a selfie, or to
use a social network, their careless postings may infuriate others.  The
unfortunate consequence might be that the careless user is murdered, see
e.g.:
http://www.nydailynews.com/news/crime/mexican-teen-stabbed-friend-65-times-posted-naked-selfies-cops-article-1.1741314

Two questions are worth addressing by psychologists and pedagogists.  First,
why are humans endangering their lives with their social networking
activities? When raising children one can caution them of the potential
dangers of current technologies (such as cars). The question is how one can
educate the next generation to reduce their risks that will be caused by a
future, currently yet unknown, technology.

Department of Computer Science, EC31, The University of Texas at Dallas
Richardson TX 75080-3021  http://www.utdallas.edu/~Yvo.Desmedt/ +1(972)883-4536


Tax Fraud Gang Targeted Healthcare Firms

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 30 Apr 2014 13:09:31 -0600
According to the article, two-factor authorization was provided recently
"after a large number of its customers had already been compromised by
fraudsters who were plundering W-2 data to file fraudulent tax refunds."
Jody Kaminsky, senior vice president of marketing at Ultipro, was quoted as
saying, "We strongly encourage [customers] to use it,' but apparently did
not require them to do so.

http://krebsonsecurity.com/2014/04/tax-fraud-gang-targeted-healthcare-firms/


UPS hasn't found the package of clue yet

David Lesher <wb8foz@panix.com>
Wed, 30 Apr 2014 16:19:11 -0400
I got a better-than-average phish/virus/spam message, claiming to be a UPS
delivery exception notice.

The tracking # cited even was valid, but in the UK.

The usual clues tipped me off, a delivery exception does not need an
attached zip, the Received headers did not list ups.com, etc.

I found a link to reach UPS, and alerted them. I got a reply quickly,
saying "not us" & "we know" etc.

EXCEPT

The message back from UPS Fraud Mitigation Corporate Security was:

A) Not in text; it was in HTML only.

B) The headers show it is not from UPS, but rightnowtech.com, an Oracle
business group, I gather: ...

Received: from mailgwmw04.rightnowtech.com (mailgwmw04.rightnowtech.com
[74.117.203.124])
	by ZZZ.WW.XXX (Postfix) with ESMTP id AB397D1816A
	for <XXXXXX@YYYY.COM>; Wed, 30 Apr 2014 15:38:40 -0400 (EDT)
Received: from [10.70.0.131] ([10.70.0.131:6575]
helo¬cess-mw.rightnowtech.com)
	by rntmw123.rnmk.com (envelope-from <customer.service@ups.com>)
	(ecelerity 2.2.2.45 r(34222M)) with ESMTP
	id 4A/C6-04808-04151635; Wed, 30 Apr 2014 14:38:40 -0500
Received: from utilmw04.int.rightnowtech.com (localhost.localdomain
[127.0.0.1])
	by access-mw.rightnowtech.com ("Mail Server") with SMTP id 30177903912
	for <XXXXXX@YYYY.COM>; Wed, 30 Apr 2014 14:38:40 -0500 (CDT)

At least there was no attached zip file. But jeeze, hasn't anyone there got
a clue yet?


The risks of garbage collection delays

Steve Loughran <stevel@apache.org>
Thu, 1 May 2014 14:07:32 +0100
  Re: heartbleed (Maziuk, RISKS-27.86)

Irrespective of whether GC can be deterministic or not, large-scale systems
are written in GC'd languages, including everything built in Java and .NET
is GCd. As an example Apache Hadoop implements its HDFS distributed
filesystem in Java, so does not directly have to worry about buffer
overflows -though whenever it delegates to native code that risk does exist.

Where garbage collection is an issue is that it can introduce delays, and
the larger the process's memory space, the longer the GC time can be. The
standard HDFS clients are written to support blocking with backoff policies
-including the ability to failover to another server if the client
determines that the original server has failed.

Which raises the hard question: how can a remote network client distinguish
"hung process' from "process undergoing very large GC pauses"? They tend to
exhibit the same behaviour (TCP connections accepted in the kernel, but all
communications blocked), heartbeat events do not get published, so a
processes membership of any paxos-style distributed group may lapse.

The only solution today is to have long enough timeouts that network side
failover and server-side (STONITH-style fencing) don't misinterpret a GC
pause from a hung process, and so-overreact.

Yet the Java runtime is aware that GC is going on -this information just
isn't published externally, or propagated to routines in the process itself
that can be used to alert the rest of the distributed system that "it is not
dead -just pining for the fjiords". This would seem a feature worth
developing, as now that the heap size of a process can be measured in over a
hundred gigabytes, delays can only increase. Rather than continuing to hope
that GC will become deterministic, we can just accept reality and design our
systems around it.


Re: Unintended Denial of Service by Banking Security (RISKS-27.84)

Toby Douglass <trd@45mercystreet.net>
Thu, 01 May 2014 01:12:48 +0100
Regarding my previous submission on this subject, I have discovered myself
labouring under a misapprehension.

I had understood that the purpose of this limit was to prevent accounts
being emptied by an attacker, and so (mis)understood it to be *per day*.

In fact, it is *per transfer*.

An account can be emptied immediately.  This measure is not therefore
addressing this issue.  At least initially it would seem that the sole
effect of this "security measure" is the repeated as opposed to one-off
application of the transfer fee (3 USD inside the US, 25 USD outside).

However, there may yet be a kinder explanation.  It may be a (rather blunt)
effort to increase the adoption rate of the two-factor authentication
scheme, which increases the transfer limit to 10k USD.


Re: It's Insanely Easy to Hack Hospital Equipment (Baker, RISKS-27.86)

Larry Sheldon <lfsheldon@gmail.com>
Tue, 29 Apr 2014 19:00:36 -0500
> When Scott Erven was given free rein to roam through all of the medical
> equipment used at a large chain of Midwest health care facilities, he knew
> he would find security problems—but he wasn't prepared for just how bad
> it would be.

This is an old problem—years ago at Creighton, the hospital wanted us to
filter off traffic to heart monitors (but couldn't at a point that would
have made a difference.  According to them at the time, the FDA would not
allow them to protect the Windows 95-based stuff.

Idioten aangeboden. Gratis af te halen. h/t Dagelijkse Standaard


Re: Microsoft injects code into files backed up on their cloud (Thorson, RISKS-27.86)

George Sicherman <colonel@monmouth.com>
Wed, 30 Apr 2014 09:32:09 -0400
Mark Thorson links to a Myce report by Sean Byrne.

Byrne reports that Microsoft's cloud service OneDrive for Business modifies
many of the files stored in it, adding identification numbers or conditional
code.  Byrne's verdict: "So what this means is that people who use OneDrive
for Business or SharePoint need to be very careful with what they sync with
it ... "

Thorson remarks that "doing this without notification seems like an enormous
breach of trust." I regard it as a fraud.  If Microsoft is changing its
customers' files without permission, it is not providing true cloud service.

Today they inject identification numbers.  Tomorrow they may inject spyware,
worms, or steganopornography.

So users of Microsoft cloud services do not "need to be very careful."  They
need to stop using Microsoft cloud services.


When smart mail goes wrong...

George Michaelson <ggm@pobox.com>
Thu, 1 May 2014 10:10:46 +1000
receive mail which has 1.2.3.4. enumerated list.

reply inline. >quoting norms.

because of whitespace, > <CRLF> pagination.. each 1. 2. 3. instance is
detected as a 'fresh' list and it automatically resets the numbering
to 1. each time...

I can imagine a lawyer having fun "you said no to item 1" when in fact
its "item 3"


Heartbleed as Metaphor

<dan@geer.org>
Wed, 30 Apr 2014 08:07:53 -0400
Lawfare, 21 Apr 2014
http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor


Lessons from the ACM Risks Forum, Webinar with PGN

Yan Timanovsky <timanovsky@hq.acm.org>
Thu, 1 May 2014 19:42:05 +0000
Registration is now open for an ACM Webinar featuring what may be an usual
interactive session with Peter G. Neumann, moderated by Will Tracz (head of
ACM SIGSOFT).

  Title: Lessons from the ACM Risks Forum
  Event: Webinar with Peter G. Neumann
  Date: Thursday 22 May 2014
  Time: 9am PDT, 10am MDT, 11am CDT, 12noon EDT, 4pm GMT, 5pm UK daylight,
        [or whenever, wherever else you are!]

This webinar will be a free-wheeling discussion of what we might have
learned from almost thirty years of the ACM Risks Forum.  No talk-specific
slides are planned; after initial remarks from the speaker, the topics will
hopefully be influenced somewhat interactively by questions and comments you
might pose, as interpreted by our moderator, Will Tracz.  We hope many
regular RISKS readers—and many others—will join us.  Various
background information is online, in case you have not been a long-time
RISKS reader.  PGN

 * The ACM Risks Forum: http://www.risks.org with a nice searchable
   reader interface (courtesy of Lindsay Marshall at Newcastle)
 * The CACM Inside RISKS series (The 233rd article in the series will
   appear online on 22 May 2014. for the June 2014 CACM.)
     http://www.csl.sri.com/neumann/insiderisks.html
 * The Illustrative Risks annotated index to early the ACM SIGSOFT
   Software Engineering Notes and RISKS issues:
     http://www.csl.sri.com/neumann/illustrative.pdf
     http://www.csl.sri.com/neumann/illustrative.html for browsing
 * Website
     http://www.csl.sri.com/neumann
 * Bio:
     http://www.csl.sri.com/neumann/short.bio

REGISTRATION:
http://w.on24.com/r.htm?ex7463&s=1&kIF794B0466F24FA9C540F5A5C6AE131

Yan Timanovsky <timanovsky@hq.acm.org>, ACM Education Manager
ACM, 2 Penn Plaza, 7th Floor, New York NY 10121 1-212-626-0515


CfP: LASER 2014 - Workshop on Learning from Authoritative Security Experiment Results

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 30 Apr 2014 17:24:45 -0400
Call for Papers
2014 LASER Workshop - Learning from Authoritative Security Experiment Results
http://www.laser-workshop.org
Arlington, Virginia - October 15-16, 2014
Paper submissions due June 30, 2014

The LASER workshop invites papers that strive to exemplify the practice of
science in cyber security. The goal of this series of workshops, now in its
third year, is to address the practice of good science. We encourage
participants who want to help others improve their practice and participants
who want to improve their own practice. LASER welcomes papers that are:

- Exemplars of the practice of science in cyber security.
- Promising works-in-progress that would benefit from expert feedback.

LASER seeks to foster a dramatic change in the paradigm of cyber security
research and experimentation. Participants will find LASER to be a
constructive and highly interactive venue featuring informal paper
presentations and extended discussions. To promote a high level of
interaction, attendance is anticipated to be limited to about 40 people.
However, to support a high level of student participation, this limit may
be increased.

Please send all questions to info@laser-workshop.org.

(Hitchens' razor) What can be asserted without evidence can
be dismissed without evidence. —Christopher Hitchens.

[More information, motivation, committees, etc at www.laser-workshop.org]

  [Sean Peisert sent me the entire CfP (much too long for RISKS).
  Jeremy saved me the effort to prune it down... PGN]

Please report problems with the web pages to the maintainer

Top