The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 98

Monday 20 August 2012


Epic EMR Device Endangering Lives Nurses Say They Are Guinea Pigs for the Vendor Innumerable Complaints
Southwest glitch causes multiple billings
Monty Solomon
NYPD unveils new $40 million super computer system ,,,
Rocco Parascandola and Tina Moore via Monty Solomon
"Citadel exploit goes after weakest link at airport: employees"
Taylor Armerding via Gene Wirchenko
Hackers Identify Threat to NextGen: Ghost planes
Live Security Platinum
David Einstein
NYC "Metrocard Vending Machine" failure on DNS-changer day
Danny Burstein
How do you reach your repair techs when the network is dead?
Danny Burstein
"Cloud security dos and don'ts after the latest Dropbox breach"
Christine Wong via Gene Wirchenko
"Security vendor exposes vulnerabilities in DDoS rootkit"
Jaikumar Vijayan via Gene Wirchenko
How we screwed [almost] the whole Apple community
Lukasz Lindell via Monty Solomon
"Elections Ontario data loss victims could top four million"
Howard Solomon via Gene Wirchenko
Rakshasa proof-of-concept malware infects BIOS, network cards
Lucian Constantin via Gene Wirchenko
"Nvidia releases Unix driver to fix high-risk vulnerability"
Lucian Constantin via Gene Wirchenko
iPhone SMS
"Today's Internet: All the fake news that's fit to publish"
Robert X. Cringely via Gene Wirchenko
Trust: Ill-Advised in a Digital Age
Somini Sengupta via Monty Solomon
Wikileaks reveals TrapWire ...
Paul Steier
Re: Lawyers who hate maths and computers
Re: Oakland police radios fail during Obama visit
Bob Frankston
Re: Hand wringing over Knight Capital software bugs
Bob Frankston
Re: Announcement of civil timekeeping meeting
Jan Hoogenraad
Re: Olympics security poster 'gibberish'
Amos Shapir
Info on RISKS (comp.risks)

Epic EMR Device Endangering Lives Nurses Say They Are Guinea Pigs for the Vendor Innumerable Complaints

"Peter G. Neumann" <>
Thu, 16 Aug 2012 16:02:04 PDT
  [Thanks to D Kross]

California nurses report that Epic's EMR devices are endangering lives as
reported in the linked report:

Southwest glitch causes multiple billings

Monty Solomon <>
Sun, 5 Aug 2012 09:57:19 -0400
Arriving at 4 million Facebook friends, Southwest Airlines offered them
half-price tickets.  Unfortunately, hundreds of customers were billed
multiple times for each flight booked—in at least one case, 20 times for
a $69 ticket.  The problem was discovered around 5pm on 3 Aug 2012.
Complaints apparently mushroomed because of the backlog of callers, and
resulted in a flurry of Facebook postings!!!  [AP item PGN-ed]

NYPD unveils new $40 million super computer system ,,,

Monty Solomon <>
Sat, 11 Aug 2012 20:42:36 -0400
Rocco Parascandola and Tina Moore, *New York Daily News*, 8 Aug 2012 [PGN-ed]

The NYPD is starting to look like a flashy, forensic crime TV show thanks to
a new super computer system unveiled Wednesday near Wall St.  The Domain
Awareness System designed by the NYPD and Microsoft Corp.  uses data from a
network of cameras, radiation detectors, license plate readers and crime
reports, officials said.  Commissioner Ray Kelly says system is able to
access information through live video feeds and allow cops to get reading on
radioactive substances.  Cops were involved with the programmers throughout
the process, earning the city its cut of the proceeds.

Mayor Bloomberg: "We're not your mom and pop police department anymore, We
are in the next century. We are leading the pack."  The system, which cost
somewhere between $30 and $40 million to develop, could also help pay for
itself with the city expecting to earn 30% of the profits on Microsoft sales
to other city's and countries.

"Citadel exploit goes after weakest link at airport: employees" (Taylor Armerding)

Gene Wirchenko <>
Thu, 16 Aug 2012 13:16:19 -0700
By Taylor Armerding, *InfoWorld*, 15 Aug 2012
The man-in-the-browser attack using a Trojan has compromised the VPN
at a major hub

Hackers Identify Threat to NextGen: Ghost planes

"Peter G. Neumann" <>
Sat, 18 Aug 2012 15:48:01 PDT
  [Thanks to Ira Rimson for spotting this one.  PGN]

Is the FAA *really* capable of dealing with tech progress?
"Multilateration"? (From, 18 Aug 2012):
*Hacker Says NextGen Is Vulnerable To Attack*

'Ghost Planes' Could Appear On Your ADS-B-Equipped EFIS

Every time new technology comes along, someone somewhere begins an effort
to see how it can be compromised, manipulated, and sometimes even
destroyed. And apparently NextGen is no exception. In a story appearing on
NPR, a Canadian computer hacker named Brad Haines said that the data
transmitted by ADS-B is unencrypted and unauthenticated. Those are bad
words in the computer security world. Haines, who is known in the online
community as RenderMan, found he could "spoof" the signals and make your
TIS see airplanes where there are none.

Haines imagined a scenario where a hacker suddenly added 50 "ghost
airplanes" to an ATC screen. He said that such an attack could make a pilot
swerve to miss airplanes that aren't there, or potentially shut down an
airport. An hours worth of disruption at a major airport could have ripple
effects that could spread worldwide, he said.

Haines and another hacker named Nick Foster created an ADS-B spoof using
the FlightGear flightsim game. They say if they had hooked the game up to a
low-power transmitter, they could have convinced controllers that they were
an actual airplane. The experiment has reportedly been duplicated in
France. Both Haines and the French hacker ... Romanian grad student Andrei
Costin ... have published papers and made presentations about their work.

The U.S. Air Force has expressed concerns about the potential for
"spoofing" NextGen. One cyberwarfare student ... Maj. Donald McCallie ...
wrote in a paper last year that NextGen is "on a collision course with
history." The FAA has reportedly not yet released the results, or even
initial data, from its own security tests. It has been mostly quiet on the
reports coming from the Air Force and the hackers. In a one-paragraph
statement, the FAA said that an "ADS-B security action plan identified and
mitigated risks and monitors the progress of corrective action. These risks
are security sensitive and are not publicly available."

The FAA told NPR that it will use a system called "multilateration" to
discriminate between real and fake airplanes on ADS-B receivers. But the
system requires multiple receivers analyzing every ADS-B signal.

Live Security Platinum (David Einstein)

"Peter G. Neumann" <>
Mon, 20 Aug 2012 10:33:58 PDT
A questioner in David Einstein's column in the *San Francisco Chronicle*
today (20 Aug 2012) was a victim of Live Security Platinum.  He/she wondered
(rather naively?) why LSP was able to get by the questioner's collection of
Norton Security Suite and Constant Guard (provided free by Comcast) plus the
free version of Malwarebytes Anti-Malware and Microsoft Security Essentials,
adding that the damage was so bad that the repair center techie suggested
the only solution was to wipe the hard drive and start over (with which
David Einstein disagrees).

Does it surprise any RISKS readers that the anti-malware folks cannot keep
up with new malware?  Or that their free tools actually might detect novel
malware?  Furthermore, this is not just a case that suggests that we should
always look a gift horse in the mouth.  The same questions seem to apply to
non-free tools.  By the way, the horse is out of the barn, irrespective of
how much it costs.

NYC "Metrocard Vending Machine" failure on DNS-changer day

Danny Burstein <>
Sun, 19 Aug 2012 15:35:19 -0400 (EDT)
You may recall that the morning the Feds shut down their sanitized /
redirected DNS servers that were helping to minimize the effects of the
"dns-changer" virus, the NYC transit authority Metrocard Vending Machines
were offline during the morning rush hour.

A lot of us wondered whether this was related.

I FOIAled the Transit Authority for their story.

The reply is scanned in at:

They claim "a shortage of cpu processing cycles", without explaining why
that happened. So it just might, or might not be, related to DNS changer...

Further insights appreciated...

  [Cursors, FOIAled again!  PGN]

How do you reach your repair techs when the network is dead?

Danny Burstein <>
Wed, 18 Jul 2012 15:40:41 -0400 (EDT)
answer: you send a trooper...

"Collom, who also did not have land or cell service, was notified of the
situation when an Isabella County Sheriff's Deputy went to her home to alert
her of the problem" [a]

- the ILEC (incumbent telco) phone switch hiccuped last night.  This knocked
out very roughly half the landline service in the area, PLUS some of the
cell-cos (conflicting reports as to exactly what was out, since if you hit a
tower ten miles away you were ok. Looks like two of the three were clobbered
in town. Don't know about their data services).

Oh, and killed off the ILEC's DSL internet.

The CLEC (independent telco) facility was still ok - yes, we're one of the
few areas with a true "overbuild" of telco lines. And the "cable" tv and
internet lines did ok.

- oh, and this also shut down the main lines to the "911 dispatch
center". Sigh.

- isn't this where they're supposed to round up all the deputies and buffs,
and station their pickup trucks every half mile?

But wait, there's MORE. The town here has a local, municipal, radio
transmitter which kicks out traffic and related info, and
also.. rebroadcasts the National Weather Service station.

The NWS "All Hazards Radio" is a *key* portion of the national emergency
backbone. It's used for both local issues such as tornadoes, and would be
called into action for some super serious and critical disaster scenarios
(as in nuclear missile detection).

The city's transmitter was just a mess of static. I figured this was simply
that it had hiccuped on its own or that it had lost its own feed.

I then tried tuning in the NWS station directly. Nothing.  their transmitter
is only a couple of miles from me.

- I was able to pick one up from about 40 miles away, but there's nothing

- As I've mentioned before, the NWS/NOAA/All Hazards Radio is a *key*
emergency communications channel, both for local issues (such as tornadoes)
and for those really ugly cold war scenarios.

They're supposed to withstand *anything* short of a direct nuclear ground
strike. Ok, I'm exaggerating. But still, they are very much counted on. To
lose one of them for something this mundane is quite disturbing.

- NOAA's web page does, kindly enough [b], advise that the transmitter is
"out of service"


"Cloud security dos and don'ts after the latest Dropbox breach" (Christine Wong)

Gene Wirchenko <>
Thu, 02 Aug 2012 09:54:15 -0700
Christine Wong, *IT Business*, 1 Aug 2012
Cloud security dos and don'ts after the latest Dropbox breach;
Here's what businesses and consumers can do to protect themselves
from a security breach like the latest one at Dropbox.

Dropbox acknowledged this week that thousands of its users had spam sent to
other accounts that were linked to their Dropbox accounts.  An investigation
found that a Dropbox employee had his password stolen for a non-Dropbox
account. The thieves then used that password to hack into his Dropbox
account, which contained a document with Dropbox user email addresses in
it. Those email addresses were used to send massive spam messages to
accounts owned by Dropbox users.

It was the second serious security breach reported at Dropbox. Just over a
year ago, the company accidentally turned off its password authentication
system, allowing anyone to access Dropbox user files without a password.

"Security vendor exposes vulnerabilities in DDoS rootkit" (Jaikumar Vijayan)

Gene Wirchenko <>
Thu, 16 Aug 2012 13:13:07 -0700
  Turnabout is fair play?

Jaikumar Vijayan, ComputerWorld, InfoWorld, 15 Aug 2012
Security vendor exposes vulnerabilities in DDoS rootkit
Prolexic says the information is designed to help enterprises mitigate attacks

How we screwed [almost] the whole Apple community (Lukasz Lindell)

Monty Solomon <>
Mon, 13 Aug 2012 19:18:03 -0400
Lukasz Lindell, 13 Aug 2012

Have you heard the phrase "That's true because I saw it on TV" at some
point? It was often the truth in the old days when people only had the TV or
newspaper to relate to. What you saw or read was the truth, although it
obviously wasn't always so.

Today, thanks to the Internet, we consider ourselves much more
enlightened. We can discuss and examine the source in a way that was not
possible in the past. But are we really aware of all information flowing up
over the net? What is really true and what's not? When someone presents a
bit of loose facts on Twitter, I usually respond with something like "64% of
the facts on the Internet is 48% incorrect according to 52% of respondents",
completely made up numbers out of my head, but it makes people think a
little extra.

It is somewhat disturbing at times when the bandwagon takes of and speeds
up, without people being critical. People stand up for situations that may
never have happened, and spin on it that ultimately results in what will
be treated as facts, or faktoids.

We wanted to test this, how easy is it to spread disinformation? ...

"Elections Ontario data loss victims could top four million" (Howard Solomon)

Gene Wirchenko <>
Thu, 02 Aug 2012 09:32:28 -0700
Howard Solomon), *IT Business*, 1 Aug 2012

The number of Canadians who could be victims of one of the country's biggest
losses of personal data could hit four million, according to a privacy
official.  (The initial number of data loss was thought to be 2.6 million )
Policy called for data put on portable devices to be encrypted. Not only
wasn't that done, after the loss was reported the agency gave staff two more
data sticks to use with orders to encrypt data—and again that wasn't

"On what planet do you do the same thing again?" a frustrated Cavoukian
asked reporters.  In fact, she added, the staff thought encrypting data
meant it was to be zipped, or compressed.

Rakshasa proof-of-concept malware infects BIOS, network cards (Lucian Constantin)

Gene Wirchenko <>
Tue, 07 Aug 2012 09:55:01 -0700
Lucian Constantin, *ComputerWorld*, 29 Jul 2012
Researcher creates proof-of-concept malware that infects BIOS, network cards;
New Rakshasa hardware backdoor is persistent and hard to detect

IDG News Service - Security researcher Jonathan Brossard created a
proof-of-concept hardware backdoor called Rakshasa that replaces a
computer's BIOS (Basic Input Output System) and can compromise the operating
system at boot time without leaving traces on the hard drive.

"Nvidia releases Unix driver to fix high-risk vulnerability" (Lucian Constantin)

Gene Wirchenko <>
Wed, 08 Aug 2012 13:03:40 -0700
Lucian Constantin, IDG News Service, *InfoWorld*, 6 Aug 2012
Nvidia Unix driver 304.32 addresses a privilege escalation
vulnerability that can grant local users root access

Nvidia releases Unix driver to fix high-risk vulnerability.  Nvidia
confirmed the existence of the vulnerability and released version 304.32 of
the Nvidia Unix driver for Linux, FreeBSD and Solaris operating systems in
order to address it. The new version also includes other changes that the
company believes will prevent similar exploits in the future.  However,
despite the new release, the company still offers version 295.59 [the
vulnerable version] as primary download on its Unix drivers page.

iPhone SMS

"Who's This?" <>
Mon, 20 Aug 2012 10:18:54 PDT
A short item in today's free *Daily Post* (self-declared `No. 1 in Palo Alto
and the mid-Peninsula') reports that a flaw in Apple's iPhone OS for SMS
messages permits senders to enter a reply-to other than the From: line.  Is
that new news to any of you?  (Apple's response is to use its iMessage
service rather than SMS.)

By the way, you may realize that it was utterly trivial for me to edit the
address fields in this message *before* sending it to RISKS.  Nobigdeal.
But is it from me?  Who knows?  You want integrity in received e-mail?  As
Scott McNealy once said about privacy, fuggetaboutit.  The spammers and
scammers of the world seem to be winning.  PGN

"Today's Internet: All the fake news that's fit to publish"

Gene Wirchenko <>
Wed, 15 Aug 2012 13:45:43 -0700
Robert X. Cringely, *InfoWorld*, 15 Aug 2012
  Fictional Apple screws, phony *New York Times* editorials,
  bogus sources—is anything on the Net not a fake?

My favourite sentence: "Gaming the media seems to have become the
second-most popular attraction on the Internet besides porn."

The conclusion: "We are rapidly approaching a point where no one is credible
and nothing can be believed.  When you can no longer separate fact from
fiction or reality from propaganda, the media simply becomes a megaphone for
whoever can shout the loudest.  That's a dangerous place to be."

  [And for those of you who think Robert X. Cringely is a real person
  responsible for lo these many items noted in RISKS, a little browse'll
  do ya.  PGN]

Trust: Ill-Advised in a Digital Age (Somini Sengupta)

Monty Solomon <>
Sun, 19 Aug 2012 00:02:48 -0400
Somini Sengupta, *The New York Times*, 11 Aug 2012

Las Vegas.  Bruce Schneier ordered a Coke, no ice, at the Rio casino on a
Saturday afternoon. I ordered Diet Coke, also no ice, and handed the
bartender an American Express card. He said he needed to see proof of
identity.  Credit cards are often stolen around here, and eight casino
workers had recently been fired for not demanding ID, he quietly explained.
The bartender wanted to keep his job.

Mr. Schneier, 49, is a student of interactions like this, offline and on. He
is a cryptographer, blogger and iconoclast in the world of computer
security, and his latest subject of inquiry is trust: how it is cultivated,
destroyed and tweaked in the digital age.

Offline, he likes to point out, we have ways to establish trust, as in this
casino, where we expect the bartender to serve us a soda, not a poisoned
chalice. We establish trust based on how we speak, whether we appear drunk
or deranged, whether we meet at a casino or a toy store - and also,
irrationally, on attributes like race and age.

Online, this becomes even more complicated, Mr. Schneier argues. We no
longer think twice about letting our friends see our vacation pictures on
Flickr, now owned by Yahoo. So habituated have we become to revealing
intimate details, Mr. Schneier writes, that we forget that Facebook, the
company, can read our missives at any time, potentially forever.

Mr. Schneier is in charge of technology security at BT, the British
telecommunications company. His latest book, "Liars and Outliers: Enabling
the Trust That Society Needs to Thrive," published earlier this year by
Wiley, is filled with foreboding: less about technology than about the
vulnerability of the heart and mind. ...

Wikileaks reveals TrapWire ... (RISKS-26.97)

Paul Steier <>
18 August 2012 17:04
> ... how convenient is that, conspiracy theorists? But you can still see a
> description of Abraxas' Tr[a]pWire technology here, at the USPTO.

  [missing link added]

Re: Lawyers who hate maths and computers (RISKS-26.97)

Wols Lists <>
Thu, 16 Aug 2012 13:27:51 +0100
> Lawyers, on the other hand, who probably got into law because they hated
> math and computers, have not had the computer as strict task-master to
> teach them the humility of following errant logic to its mostly bitter
> conclusions.

You mean like Judge Alsup, overseeing the Oracle v Google lawsuit?

Who is, I believe, a PhD Maths graduate.

And when Oracle argued that RangeCheck was "oh so valuable" said that he had
spent a morning writing it ten different ways, including learning Java so he
could write a version in that language.

If you follow cases on Groklaw, you rapidly learn that, unlike in other
countries, it is very difficult in the US to sanction lawyers for being an
idiot. As a result, they tend to make idiotic arguments without any fear of
the consequences. In the UK, with its habit of awarding "attorney fees" as a
matter of course, silly arguments tend to get knocked on the head by the
client as a matter of course. They don't want to have to pay the bill for
the other side to refute it!

Re: Oakland police radios fail during Obama visit (Van Derbeken, RISKS-26.96)

"Bob Frankston" <>
Wed, 1 Aug 2012 17:22:55 -0400
Building a radio system is so 1920's. Why have a separate single-hop radio
system each purpose when we could provide resilient IP coverage that makes
it easy to take advantage of any available path? That seems so obvious but
... and as a bonus we wouldn't be limited to predefined interconnections.

As long as we continue to make telecommunications a profit center we require
assuring that no bits are exchanged unless they are billed for. This funding
model must, by necessity be brittle otherwise people would just shun the
expensive paths. The term "shun" comes from "shunpike" for people who
bypassed toll roads in the heyday of (not for profit) private pikes.

More on the policy stuff in for those interested.

Re: Hand wringing over Knight Capital software bugs (RISKS-26.97)

"Bob Frankston" <>
Wed, 15 Aug 2012 21:07:18 -0400
I want to emphasize Henry's point that this is not necessarily a software
problem as such. It seems more a matter of hubris—the same hubris that
lets traders bet trillions of dollars on complex derivatives that few, if
any, understand. And history has shown those that do think they understand
will wind up being wrong at some point.

Perhaps programmers have some responsibility for telling their managers that

or policies. Understanding the risks should be part of basic literacy but,
perhaps, programmers are more aware (or at least, as Henry noted, they
should've learned humility) because they fail often and should expect
failures. But trying to educate those who see programmers as hired hands
might not be a good career move.

Saying that we need AI or "hundreds of eyes" to recognize unusual patterns
misses the point—you can't anticipate all possibilities especially
algorithms and procedures that interact with other systems that one does not
control nor may even be aware of. Instead one has to expect failures and
deal with them in stride.

Sure big trades bring big returns and an adrenalin rush. And, after, all, to
many traders it's only a game.

It could be worse—we could privatize all public insurance programs such
as healthcare and social security on the assumption that each individual
could make the right choice about the unknowable future.

Re: Announcement of civil timekeeping meeting (Stockton, RISKS-26.93)

Jan Hoogenraad <>
Fri, 17 Aug 2012 21:29:52 +0200
I think your proposal is great, and easily implementable. I'd like to
support this.  Is there a forum to do so?

If GMT is defined as currently (Solar), ST (Science Time) is just a
timezone.  Leap seconds (NOT nanosecond steps !) can be distributed by the
normal timekeeping mechanisms ( I regularly get timezone file updates on my
Ubuntu en windows systems as well, and leap seconds can be known a year in
advance).  All timeservers in the world could keep dispersing GMT, no
change.  Local machines can (in batch mode, converting time in past and
future) use the normal timezone converters, with timezone ST.

Local machines can (in background mode) use the normal locking of clocks, internally using zone ST.

Actually, including the additional time zone ST in linux and windows would be relatively easy to do.
This would mark a first simple step.

I would not use NGMT, as update tables are hard, but rather GMT

Re: Olympics security poster 'gibberish' (RISKS-26.95,96)

Amos Shapir <>
Thu, 2 Aug 2012 17:50:15 +0300
At least it did not happen on a real tombstone...

When my mother had passed away last year, the tombstone maker had trouble
generating an inscription which matched the one on my father's stone, who
had died 12 years earlier.  The reason was that the computerized drawing
program he was using could not control precisely the size of blanks!
Luckily he was aware of the pitfalls and worked hard to overcome the
problems; I can imagine someone else could just as well hit the "print"
button to cast their errors in stone.

PGN asked:
> Did the inaccurate spacing result in changing the meaning?
> You kind of left me wondering what the literal content was...

No, it was just a matter of formatting, to make the new stone look the same
as the old one (which was set by hand).  In this case, just hitting the
"print" button would only have created bad typesetting, but the encounter
with this system made me realize that what had happened in the TV episode
could have actually happen on a real tombstone.

Please report problems with the web pages to the maintainer