Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: RISKS List Owner (riskocsl.sri.com)
Date: Tue Aug 12 2008 - 17:48:53 CDT
RISKS-LIST: Risks-Forum Digest Tuesday 12 August 2008 Volume 25 : Issue 28
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Internet attacks against Georgian web sites (Gadi Evron, Gadi Evron)
Russia/Georgia: Tanks, Bombers, Keyboards (Edward Rice)
Patch for Web Security Hole Has Some Leaks of Its Own (John Markoff via PGN)
MIT Students Gagged by Federal Court Judge (EFF via David Farber)
CloudAV (Rob Slade)
Two on-line travel booking risks (Chris Drewe)
'Fakeproof' microchipped British e-passport ... (Lars Poulsen)
Re: Unsuspected travelers' laptops may be detained ... (Steven M. Bellovin,
R. G. Newbury)
Re: GPS causes nightmare vacation (Fernando Pereira)
Re: How reliable is DNA ...? (Michael Black, Steve Schafer)
Re: Neglecting to logout from Skype ... (Al Macintyre)
Abridged info on RISKS (comp.risks)
Date: Mon, 11 Aug 2008 01:37:59 -0500 (CDT)
From: Gadi Evron <gelinuxbox.org>
Subject: Internet attacks against Georgian web sites
In recent days, news and government Web sites in Georgia suffered DDoS
attacks. While these attacks seem to affect the Georgian Internet, it is
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3. It doesn't seem Internet infrastructure is directly attacked.
4. Every other political tension in the past 10 years, from a comic of the
Prophet Muhammad to the war in Iraq, were followed by online supporters
attacking targets which seem affiliated with the opposing side, and
Up to the Estonian war, such attacks would be called "hacker enthusiast
attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a
political nature seems to get the "information warfare" tag. When 300
Lithuanian web sites were defaced last month, "cyber war" was the buzzword.
Running security for the Israeli government Internet operation and later the
Israeli government CERT such attacks were routine, and just by speaking on
them in the local news outlets I started bigger so-called "wars" when
enthusiasts responded in the story comments and then attacks the "other
Not every fighting is warfare. While Georgia is obviously under a DDoS
attacks and it is political in nature, it doesn't so far seem different than
any other online after-math by fans. Political tensions are always followed
by online attacks by sympathizers.
Could this somehow be indirect Russian action? Yes, but considering Russia
is past playing nice and uses real bombs, they could have attacked more
strategic targets or eliminated the infrastructure kinetically.
Coulda, shoulda -- the nature of what's going on isn't clear, but until we
are certain anything state-sponsored is happening on the Internet it is my
official opinion this is not warfare, but just some unaffiliated attacks by
Russian hackers and/or some rioting by enthusiastic Russian supporters.
It is too early to say for sure what this is and who is behind it.
The RBN blog (following the Russian Business Network) is of a different
Also, Renesys has been following the situation and provides with some
(Thanks to Paul Ferguson for the URLs)
DDoS attacks harm the Internet itself rather than just this or that web
site, so soon this may require some of us in the Internet security
operations community getting involved in mitigating the attacks, if they
don't just drop on their own.
["You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant
General, Israel's Ministry of Finance, at the government's CIO
(after two very funny self-deprecation quotes, time to even things up!)]
[There were a lot of lessons that should have been learned from the
Estonian DDoS attacks that still remain to be learned. PGN]
Date: Tue, 12 Aug 2008 16:06:59 -0500 (CDT)
From: Gadi Evron <gelinuxbox.org>
Subject: Internet attacks against Georgian web sites
This is an update of my previous post on the subject.
To be honest here, no one truly knows what's going on in Georgia's Internet
except for what can be glimpsed from outside, and what has been written by
the Georgians on their blog
outside their country). They are probably a bit busy avoiding kinetic
As mentioned in the previous post, Renesys has been following the Georgian
links, which seem to be there, but occasionally drop due to possibly power
failures. Renesys URL here:
Shadowserver and others have been following the botnets attacking the
Georgians web sites, and that is confirmed as happening. Shadowserver was
According to Dancho Danchev, there have also been some defacements, which
he describes here, along with other conclusions I don't necessarily agree
So--it is clear their web sites are under attack, and that Internet
visibility-wise, the impact is real for the Georgians. And yet, it is simply
too early and there is not enough information to call this an Internet
war. It is too early to establish motive or who the perpetrator is, however
much we may want to point fingers.
Following every and any political or ethnic tension, world-wide, an online
aftermath comes, in the form of attacks, defacements, and enthusiast hackers
swearing at the other side (which soon does the same, back).
While Georgia's suffering is real, such attacks are nothing but routine here
in Israel. When I ran the defense for the Israeli government Internet
operation and then the Israeli government CERT, such attacks would occur
daily. Hackers on the other side would band together, talk, coordinate a
date, exchange tools, and attack.
While I apologize for the analogy, post-9/11 Israelis were shocked. We were
sympathizing and crying for the victims. What we did not understand was why
people were still shocked ten minutes past, as this was a normal every-day
life happening for us over here. The same applies for cyber-space, the
Internet--we are used to this.
The difference in this attack was that the Georgian authorities, like
numerous others around the world still aren't, were not prepared to face
and fend against such an attack.
In my article "Fighting Botnets and Online Mobs" for the Georgetown
Journal of International Affairs covering the Internet war in Estonia, I
state how our opponents will no longer be just countries, or even
organizations as Martin van Creveld once predicted ahead of his time, but
that on the Internet playing field any individual or loosely affiliated
group can be a player, affecting countries and yes, corporations as well.
My article can be found here:
The best article describing the events so far is by John Markoff at *The New
Date: Sat, 9 Aug 2008 03:40:47 -0400
From: Edward Rice <ehricehis.com>
Subject: Russia/Georgia: Tanks, Bombers, Keyboards
*The New York Times* reports that in the "hot war" currently going on
between Russia and Georgia, cyberwarfare appears to have broken out as well:
> Neither side showed any indication of backing down. Prime Minister
> Vladimir V. Putin of Russia declared that "war has started," and President
> Mikheil Saakashvili of Georgia accused Russia of a "well-planned invasion"
> and mobilized Georgia's military reserves. There were signs as well of a
> cyberwarfare campaign, as Georgian government Web sites were crashing
> intermittently during the day.
Date: Tue, 12 Aug 2008 14:30:37 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Patch for Web Security Hole Has Some Leaks of Its Own
Evgeniy Polyakov has demonstrated that the emergency patch to the Domain
Name System for the vulnerability noted by Dan Kaminsky (RISKS-25.25) is
itself flawed and relatively easily exploited. [Source: John Markoff, *The
New York Times*, 9 Aug 2008, B1 (National Edition); PGN-ed]
Date: Sat, 9 Aug 2008 17:21:27 -0400
From: David Farber <davefarber.net>
Subject: [IP] MIT Students Gagged by Federal Court Judge
Bad decision by the Judge djf
[Boston's Charlie Card vulnerability. Note that the student's paper
explicitly does not reveal the key details of the vulnerability.
Another example of shooting the messenger rather than getting to the
root of the problems. PGN]
Begin forwarded message:
From: EFF Press <presseff.org>
Date: August 9, 2008 5:14:30 PM EDT
Subject: [E-B] EFF: MIT Students Gagged by Federal Court Judge
Electronic Frontier Foundation Media Release
For Immediate Release: Saturday, August 09, 2008
Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
+1 415 271-4879
Electronic Frontier Foundation
+1 415 436-9333 x116
Electronic Frontier Foundation
+1 415 436-9333 x125
MIT Students Gagged by Federal Court Judge
EFF Backs Researchers Forced to Cancel Presentation on
Transit Fare Payment System
Las Vegas - Three students at the Massachusetts Institute of Technology
(MIT) were ordered this morning by a federal court judge to cancel their
scheduled presentation about vulnerabilities in Boston's transit fare
payment system, violating their First Amendment right to discuss their
The Electronic Frontier Foundation (EFF) represents Zack Anderson, RJ Ryan
and Alessandro Chiesa, who were set to present their findings Sunday at
DEFCON, a security conference held in Las Vegas. However, the Massachusetts
Bay Transit Authority (MBTA) sued the students and MIT in United States
District Court in Massachusetts on Friday, claiming that the students
violated the Computer Fraud and Abuse Act (CFAA) by delivering information
to conference attendees that could be used to defraud the MBTA of transit
fares. This morning District Judge Douglas P. Woodlock, meeting in a
special Saturday session, ordered the trio not to disclose for ten days any
information that could be used by others to get free subway rides.
"We wanted to share our academic work with the security community and had
planned to withhold a key detail of our results so that a malicious attacker
could not use our research for fraudulent purposes," said Anderson. "We're
disappointed that the court is preventing us from presenting our findings
even with this safeguard."
Vulnerabilities in magnetic stripe and RFID card payment systems implemented
by many urban transit systems are generally known. The student research
applied this information to the specific case of Boston's Charlie Card and
Charlie Ticket, and the project earned an A from renowned computer scientist
and MIT professor Dr. Ron Rivest.
The court relied on a federal law aimed at computer intrusions in issuing
its order, holding that even discussing the flaws at a public conference
constituted a "transmission" of a computer program that could harm the fare
"The court's order is an illegal prior restraint on legitimate academic
research in violation of the First Amendment," said EFF Civil Liberties
Director Jennifer Granick. "The court has adopted an interpretation of the
statute that is blatantly unconstitutional, equating discussion in a public
forum with computer intrusion. Security and the public interest benefit
immensely from the free flow of ideas and information on
vulnerabilities. More importantly, squelching research and scientific
discussion won't stop the attackers. It will just stop the public from
knowing that these systems are vulnerable and from pressuring the companies
that develop and implement them to fix security holes."
This case is part of EFF's Coders' Rights Project, launched just this week
to protect programmers and developers from legal threats hampering their
cutting-edge research. EFF will seek relief for the researchers in the
For the full temporary restraining order:
For more on the Coders' Rights Project:
For this release:
The Electronic Frontier Foundation is the leading civil liberties
organization working to protect rights in the digital world. Founded in
1990, EFF actively encourages and challenges industry and government to
support free expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to websites in the world
Date: Mon, 11 Aug 2008 11:27:22 -0800
From: Rob Slade <rMsladeshaw.ca>
A few media sources seem to be picking up a press release from the
University of Michigan.
This reports on "CloudAV," a project and series of papers about having
antivirus detection run "in the cloud" rather than on the PC.
As usual, there seems to be some misunderstanding about what is going on
here. CloudAV is not really a new approach, it is simply the use of
multiple scanners, which the AV research community has advocated for years.
It's like having a bunch of scanners installed on your desktop, or a system
like Virustotal, with the exception that the scanners run on different
computers so you get a bit of performance advantage (absent the bandwidth
lag/drain for submitting files to multiple systems).
rsladevcn.bc.ca rsladecomputercrime.org victoria.tc.ca/techrev/rms.htm
Date: Sun, 10 Aug 2008 18:18:12 +0100
From: "Chris Drewe" <e767pmkyahoo.co.uk>
Subject: Two on-line travel booking risks
Here are two items from the readers' queries feature in the travel section
of the weekend newspaper recently (don't know if they're in the on-line
version, but it's http://www.telegraph.co.uk/travelexperts , Aug 2 & 9):
* A reader wrote about booking 3 air tickets on-line for himself and two
other people via the airline's web site, and ended up with three tickets
with his own name on them, which cost a small fortune to correct. This
was suggested as being due to the `autofill' function of his web browser
(it didn't say which one), and also returning to a previous stage of the
booking process with the browser back arrow rather than the `Back' link on
the web page. The airline was quoted as saying that it can't disable or
detect this as an error (unlike, say, an empty name field), so it's the
customers' responsibility to check when entering data.
* In the UK, passports last for 10 years, but they can be renewed slightly
before they expire, with the unused period transferred to the new one
(thus allowing you to renew your passport in good time without losing part
of its validity period), hence it's possible to have a passport with an
expiry date just over 10 years in the future. A reader comments that the
US Electronic System for Travel Authorisation application site at
https://esta.cbp.dhs.gov didn't accept his passport because it was valid
for more than 10 years. Response was that the Department for Homeland
Security claims to have fixed this, but as the on-line permit is
compulsory from next year, it may be something to be aware of.
Date: Sun, 10 Aug 2008 06:49:01 -0700
From: Lars Poulsen <larsbeagle-ears.com>
Subject: 'Fakeproof' microchipped British e-passport ... (Thomas, RISKS-25.26)
I have been watching with increasing puzzlement the security theater about
"electronic passports", and I still cannot figure out what it is that the
system is supposed to accomplish. It seems to me that it is going backwards.
Indeed, the world has changed since the traditional passport system was
established. The traditional passport relies on "secure paper" technology:
Textile paper with watermarks was considered to be too difficult to
fake. Modern printers can create something that looks close enough to fool a
It seems to me that the response to this would be to take advantage of
Internet technology: One should no longer trust the passport, but use only
the embedded barcode or OCR digit string to furnish a record identifier and
then pull the passport information from the issuing agency's database. Then
a forged paper passport would be worthless at border crossings.
Instead, we have replaced the reliance on "secure paper" with a reliance on
"secure silicon", even though it should be obvious to anyone that a writable
memory chip can be reprogrammed in the field ... indeed the standard method
of deployment of the genuine instrument relies on this property. Any digital
signing on the chip to ensure that it has not been altered requires a
functioning network link to the issuer's database. And with that link, the
chip is unnecessary.
I know that I am not so smart that I have figured out something that all the
experts have overlooked, so I must be missing something critical. What have
Lars Poulsen, Afar Communications Inc
Date: Mon, 11 Aug 2008 15:59:44 -0400
From: "Steven M. Bellovin" <smbcs.columbia.edu>
Subject: Re: Unsuspected travelers' laptops may be detained ... (RISKS-25.16)
It's worth noting -- repeating, actually -- that border searches of laptops
are not restricted to the US. See, for example,
http://news.bbc.co.uk/1/hi/sci/tech/150465.stm which reports on British
policy. Also note the date: 1998. I have a different question: which
developed economies have explicit policies saying that they will not search
(the information on) laptops?
Steve Bellovin, http://www.cs.columbia.edu/~smb
Date: Sat, 09 Aug 2008 21:05:58 -0400
From: "R. G. Newbury" <newburymandamus.org>
Subject: Re: Unsuspected travelers' laptops may be detained... (RISKS-25.16)
The worst features of this are that IF you have done the smart thing and
used strong encryption to protect your data, the Customs agent will be MORE
likely to take away your entire laptop for examination... and he will take
your entire laptop, not just the hard drive out of it.
In effect, you have no Fourth or Fifth Amendment rights when crossing the
border into the US. Must scare the living bejusus out of most corporate
counsel and CIO guys.
As for me, the next time I cross the border with my laptop, it will have an
entirely brand spanking new Fedora install on the laptop's original (small)
hard drive with not one single piece of important data.
Date: Fri, 8 Aug 2008 20:39:11 -0700
From: Fernando Pereira <pereiracis.upenn.edu>
Subject: Re: GPS causes nightmare vacation
GPS caused nothing there, no computer risks involved. The risk is for people
travel in wild places with no clue about what they are about to
experience. They blamed the GPS because they had to to find an excuse for
their ignorance and stupidity. They were lucky that they got away with just
embarrassment, others with a similar attitude have paid with their life.
Date: Sat, 9 Aug 2008 08:40:24 -0500
From: "Michael Black" <mdblack98yahoo.com>
Subject: Re: How reliable is DNA ...? (Schaefer, RISKS-25.27)
I've long been a critic of DNA matches -- seems it's always being presented
as an almost "sure thing". I always said that when the database got large
enough they'd start having problems.
Well, a recent article has caused me to analyze the probabilities. It's
quite eye-opening when you understand how it really works.
You always hear of one-in-million or billion chances but it would seem, by
simple analysis, that this is not true, and would certainly explain why the
FBI is fighting against people being able to do studies such as are quoted
in this article. But you really don't need to do any studies. That
statistics are pretty simple.
For those of you who are computer-wise, DNA matching is apparently a binary
coded system. "9 loci" matches are frequently used to find matches.
I don't know where the numbers come from that I hear in the court
cases...but this is how it quite apparently works. As the article below
pointed out -- they found 122 matches in the Arizona database of 65,000
where there was a 9-loci or more match. This very closely matches the
following table that I calculated based on simple binary probabilities
showing # of loci, cumulative probability, and resulting number of average
matches expected at each loci match level:
1 0,5 32500
2 0,25 8125
3 0,125 4063
4 0,0625 2031
5 0,03125 1016
6 0,015625 508
7 0,007813 254
8 0,003906 127
9 0,001953 63
10 0,000977 32
11 0,000488 16
12 0,000244 8
9 loci or better" numbers gives you 63 likely matches -- The 122 in the
study may well be due to the lack of independence -- e.g.. relatives and the
distribution of the actual DNA samples (which one would have to do a study
to find out).
Given the current U.S. population of 305 million then, how many matches
would there be in the U.S.? At 9 loci or more you would expect 595,703
matches. Proof beyond doubt? Hardly. At 12 loci it would be 74,463 and at
13 loci 37,231.
This is why DNA evidence alone is NOT a sure thing and should never be used
as the sole evidence in a case. So the next question would be -- if I
already have a suspect and his DNA matches -- how good is that? That
question is simply, "what are the odds that a specific DNA sample will match
somebody else in the database?" For the U.S. population that turns out to
be 1-in-546 or a 99.82% match at 9 loci and 1-in-8192 at 12 loci or a 99.99%
match. As a juror I don't think I would see much difference between 99.82%
and 99.9988%. And stating it as 1-in-8192 puts a whole different spin on
DNA can be used to EXCLUDE beyond any doubt. But it cannot be used to
INCLUDE beyond any doubt. Question being what is "reasonable doubt"
statistically? As a defense lawyer you might be able to say "in this city
of 65,000 alone there are approximately 122 people with the same DNA profile
as my client" -- that would be the 9-loci case -- or "8 people' at 12 loci.
That sounds like reasonable doubt to me and would make me completely
discount the DNA evidence. Without other supporting evidence I would never
convict somebody on DNA alone.
Date: Sat, 09 Aug 2008 08:39:05 -0400
From: Steve Schafer <stevefenestra.com>
Subject: Re: How reliable is DNA ...? (Schaefer, RISKS-25.27)
The controversy arises here because this situation is analogous to the well
known Birthday Problem (sometimes called the Birthday Paradox), which is the
difference between the following two questions:
Q1: How many people do I have to invite to a party before the probability
that two of the guests have the same birthday exceeds 99%?
Q2: How many people do I have to invite to a party before the probability
that one of the guests has the same birthday as me exceeds 99%?
Another way to look at it: If I invite 57 people to my party, there is a 99%
chance that two guests will have the same birthday, but a less than 15%
chance that one of the guests will have the same birthday as me.
* From the description in the news stories, Troyer was asking question 1.
During criminal investigations, investigators ask question 2.
Date: Sat, 09 Aug 2008 16:25:43 -0500
From: Al Macintyre <macwheel99wowway.com>
Subject: Re: Neglecting to logout from Skype ... (RISKS-25.27)
In our travels, work, school, home, we may have need of multiple different
locations from which to access various Internet services, but probably not
Those different PCs can often have different default settings and
I recently was working in part of the flooded Midwest, where many business
sites without phones, fax, Internet service etc. so I was using computer at
motel to catch up on e-mail etc. The computer in hotel lobby was shared by
200 hotel room guests, on first come first served basis.
Important to log out each day, maybe change password daily, because unknown
what gets saved on that PC cache. I found where one guest had created a
folder with particulars about managing their bank accounts, still logged
on. Every guest could access every other guest stuff because it was one
password for all of us. I figure this kind of infrastructure is magnet for
For decades in offices where people share some network of data bases, it has
been productive to concurrently open multiple sessions ... some updating or
entering data, others inquiring into various aspects of the data entry, more
related to coping with interruptions. It is nice that at an instant's need,
yet another session can be opened to look at the data a different way or to
pursue a different interest. But at end of day, time to go home, it is also
easy to forget about a session opened hours ago & interrupted by
interruptions forgot it was open. This could be at one workstation with 8
sessions open, or multiple work stations, as some persons patrolled a
building, dealing with situations, signing onto the most convenient
I railed without success at the network configurators to add an icon showing
number of sessions you are currently signed on at, a number you want to wind
down to zero when you done for the day.
Date: Thu, 29 May 2008 07:53:46 -0900
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribecsl.sri.com or risks-unsubscribecsl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 25.28