Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: RISKS List Owner (riskocsl.sri.com)
Date: Sun May 10 2009 - 15:40:29 CDT
RISKS-LIST: Risks-Forum Digest Sunday 9 May 2009 Volume 25 : Issue 66
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
FAA ATC shutdown (Linda Gorman)
Documented risks to FAA computers (John Sawyer)
Pipe Leak at NY Indian Point Nuclear Plant Raises Concerns (Gabe Goldberg)
Minnesota court says defendants have right to see source code (Mark Thorson)
Obama, McCain legal teams promote state-level clean election practices
Richard A. Clarke: Obama's Challenge in Cyberspace (David Farber)
`Computer glitch' disrupts Boston city payroll (Monty Solomon)
Teenage hiker's calls ignored; no street address (Rohan Sullivan)
Hackers Break Into Virginia Health Professions Database, Demand Ransom
(Brian Krebs via Monty Solomon)
UCBerkeley health service hacked, with 160,000 at risk of ID theft (Henry Lee
via Ari Ollikainen)
How to guarantee bad passwords (Jeremy Epstein)
Lexis Nexis does an Oopsis. Data breach... (Danny Burstein)
"Server issues" delay Nielsen ratings (George Mannes)
Researchers Take Over Dangerous Botnet (ACM TechNews)
Materials Database Problem (Gene Wirchenko)
Strange cash register arithmetic favors the house (Bart Thielges)
Re: Credit card numbers *not* plucked out of the air at FL Best Buy
Real-Time Networks RTN'09 (ECRTS)
Abridged info on RISKS (comp.risks)
Date: Thu, 7 May 2009 09:34:17 -0600
From: "Linda Gorman" <lindai2i.org>
Subject: FAA ATC shutdown
Civilian air-traffic control system computer networks have been penetrated
multiple times in recent years, including an attack that partially shut down
ATC systems in Alaska. The FAA is expecting to spend about $20 billion in
an upgrade over the next 15 years. [Source: *Wall Street Journal*, 7 May
[RISKS readers will recall that the previous attempted upgrade cost about
$4B before it was scuttled. PGN]
As an economist I'm primarily interested in this case for two reasons: a)
whether as a practical and theoretical matter the US government can purchase
and maintain modern information systems for specialized civilian
applications given that the FAA has been trying and failing to do so for 20
years even as private corporations created for that purpose, entities like
Nav Canada and even the US Postal Service, have been more successful, and b)
the application that this failure has to the prevailing mythology of how
expanding government control over health information storage architecture
will improve care and lower costs. To date the myth or electronic systems to
the rescue continues to grab people even though almost all of the real world
tests of the effects of expanded government control suggest that the most
likely result it higher costs and degraded care.
Linda Gorman, Director, Health Care Policy Center, Independence Institute,
Date: Thu, 7 May 2009 09:35:02 +0100
From: John Sawyer <jpgsawyergooglemail.com>
Subject: Documented risks to FAA computers
I thought this would be of interest to RISKS readers.
Scary stuff if the risks are as serious discussed.
[See also CNET. PGN]
[The risks are not newly identified. For example, see my Computer
Security in Aviation: Vulnerabilities, Threats, and Risks, International
Conference on Aviation Safety and Security in the 21st Century, 13-15
January 1997, for the White House (Gore) Commission on Safety and
However, perhaps the awareness climate is finally changing. PGN]
Date: Fri, 01 May 2009 14:39:32 -0400
From: Gabe Goldberg <gabegabegold.com>
Subject: Pipe Leak at NY Indian Point Nuclear Plant Raises Concerns
Not directly a computer risk but it raises the question of how 100,000
gallons of water could go missing; the leak was only discovered when someone
noticed water flowing across the floor. Funny, that's the same technology by
which my wife just notices a basement leak in our house. I'm thinking about
installing a water detector -- maybe Entergy should also.
... it has raised concerns about the monitoring of decades-old buried pipes
at the nation's nuclear plants, many of which are applying for renewal of
their operating licenses. Indian Point 2, whose 40-year operating license
expires in 2013, already faces harsh criticism from New York State and
county officials who want it shut down.
Representative Edward J. Markey, the Massachusetts Democrat who heads a
House subcommittee on energy and the environment, said the leak raised
serious questions about Entergy's and the regulatory commission's oversight.
"This leak may demonstrate a systemic failure of the licensee and the
commission to inspect critical buried pipes in a manner sufficient to
guarantee the public health and safety," he wrote to the commission's
chairman, Dale Klein, in a letter on Thursday. The letter was also signed by
Representative John J. Hall, whose district includes the plant. The
congressmen said they were "shocked" that a leak that big could develop
without detection and called the system for detecting such problems
"profoundly inadequate." [Source: Matthew Wald, *The New York Times*, 2 May
Date: Sun, 03 May 2009 17:55:34 -0700
From: Mark Thorson <eeesonic.net>
Subject: Minnesota court says defendants have right to see source code
Drunk driving defendants demand to see source code for testing machines,
Minnesota state supreme court rules they have that right, but machine maker
refuses citing trade secrecy.
Date: Fri, 8 May 2009 01:06:52 -0400 (EDT)
From: "David Lesher" <wb8fozpanix.com>
Subject: Obama, McCain legal teams promote state-level clean election practices
Robert F. Bauer and Trevor Potter are attorneys in private practice,
specializing in election law. Bauer served as general counsel to the Obama
presidential campaign, and Potter was general counsel to the McCain
Robert F. Bauer and Trevor Potter,
Next Phase of Election Reform: Start With Facts, 5 May 2009
As the general counsel to the Obama and McCain campaigns, we had our
disagreements - a fair number of them, as a matter of fact. But we share a
deep commitment to fair and well-run elections in which all qualified voters
have the opportunity to vote, and all the votes that they cast are
accurately counted. Looking back on the 2008 elections, we have no doubt
that reforms in the administration of elections in this country are needed
if we are to meet these standards. We also believe such reforms can be
achieved, with potentially transformative success for the American voter.
It may be news to many readers that reforms are still needed. The media
widely reported a smooth election, and in some places, those reports were
accurate. The problems - and there were many, scattered across the country -
received comparatively little attention because the outcome of the voting
State voter registration lists suffered from various levels of
inaccuracies, there were controversies over registration drives, the
lines for early voting almost overwhelmed the system in some states,
and absentee ballots often reached voters too late to be cast,
especially for armed forces members overseas.
And on Election Day, there were many reports of more long lines,
inadequate ballots, malfunctioning machines and voters turned away
because of registration issues across the country.
If the election had been close, there would have been legal
controversies over counting hundreds of thousands of absentee and
provisional ballots in key states.
Data provide the reality check that forecloses the most extreme
positions. Unfortunately, our state and local governments do not
generate, let alone make public, the most basic information on how
well the system is working. Many states cannot tell you how many
people showed up to vote on Election Day. Other states have no idea
how many voters are registered or how voters cast their ballots. What
little data we have suggest that jurisdictions have widely variable
numbers of provisional ballots and markedly different ballot discard
rates. Even here, however, we lack enough information to figure out
why that is so.
It is essential that the data collected is distilled into a usable form.
Voters need a readily accessible metric to hold their government accountable
for missteps and reward those who perform well.
Policymakers need solid, comparative data to referee the inevitable
fights that take place between reformers, parties, candidates and
election administrators over whether the system is working. Election
administrators need a strategy for sorting through widely varying
local practices to identify the best ones.
A critical step toward the production of this data is the Democracy
Index, proposed by Heather Gerken of Yale Law School, which would rank
states and local election systems based on performance. Such an index
would function like a U.S. News and World Report ranking for colleges,
pulling together basic information that matters to voters: How long
were the lines? How many ballots got discarded? How often did machines
This is the kind of solution that should attract strong bipartisan
support. Rather than adopting a top-down, command-and-control
approach, it relies on a market-based solution, looking to "sunshine"
- the plain light cast by the facts - to motivate responsible
officials to do better. Rather than mandate uniform national
standards, it takes advantage of local variation to spot and surface
What's most attractive about a proposal like Gerken's is that it
should lay the groundwork for well-reasoned reforms. With better data,
we should be able to avoid fruitless discussions about the things that
don't matter and focus on the things that do. Reliable performance
data, in our view, would make visible the costs associated with our
current registration system, potentially moving us toward a system of
automatic voter registration by states, which in turn would help
eliminate the conflicts over the role of private registration
Reliable performance data would, we also suspect, help advance
discussion of the role and rules for early voting and give election
administrators the ammunition that they need to fight for the
resources that they have so long done without.
Agreement on these issues will not always be easy. But good data offer
a shared starting point for discussions about the future path of
When President Barack Obama and Secretary of State Hillary Rodham
Clinton were Senators, both proposed bills that would make the
Democracy Index a reality. The problems that we saw during the 2008
elections confirm the importance of passing just such a bill and
giving at long last a strong factual foundation to the urgent business
of reform - and a strong incentive to elected officials,
administrators and parties to get on with the hard work ahead.
2009 c Roll Call Inc. All rights reserved.
Date: Fri, 8 May 2009 13:59:15 -0400
From: David Farber <davefarber.net>
Subject: Richard A. Clarke: Obama's Challenge in Cyberspace
[From Dave Farber's IP distribution]
In the next few days President Obama will decide whether he will live up to
his campaign promises about dealing seriously with the challenge of cyber
security by creating a White House office to direct government activity and
coordinate with the private sector. None of the options being served up to
him will create the stand alone White House office that is needed to provide
the leadership on this issue.
The reasons that this decision is important have been spread across the
media this last month. Among the facts revealed are that foreign
intelligence services have penetrated the control systems of the US electric
power grid and have left behind "logic bombs" and "trap doors;" data about
America's latest fighter aircraft, the F-35 Lightning II, has been copied
off the networks of defense contractors and sent overseas; the Pentagon
plans to appoint a new four star general to run a new Cyber Command based on
the National Security Agency (NSA); and a National Academy of Sciences blue
ribbon panel has urged caution about the US engaging in offensive cyber war.
Date: Sat, 2 May 2009 01:25:53 -0400
From: Monty Solomon <montyroscom.com>
Subject: `Computer glitch' disrupts Boston city payroll
Boston city employees could not be paid by direct deposit on 1 May 2009, as
a result of an unspecified computer problem. The city has 17,000 employees,
but it was not clear how many of those were affected. [Source: Andrew Ryan
and Michael Levenson, *The Boston Globe*, 1 May 2009: PGN-ed]
Date: Fri, 8 May 2009 13:28:42 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Teenage hiker's calls ignored; no street address
Rohan Sullivan, Associated Press, Sydney, Australia, 7 May 2009,
Teenage hiker David Iredale used his cell phone to call Australia's
equivalent of 911, SEVEN TIMES pleading for rescue after he became lost in
tough scrubland and ran out of water in 100-degree (37 C) heat. Each time
he got through, he was told he needed to give a street address before an
ambulance could be sent. Shortly after the final call, Ireland collapsed and
died of thirst. A subsequent inquiry identified deep flaws in the OZ
emergency response system -- including an "astonishing lack of empathy"
but the operators.
Date: Tue, 5 May 2009 23:34:18 -0400
From: Monty Solomon <montyroscom.com>
Subject: Hackers Break Into Virginia Health Professions Database, Demand Ransom
Brian Krebs, *The Washington Post*, 4 May 2009
Hackers last week broke into a Virginia state Web site used by pharmacists
to track prescription drug abuse. They deleted records on more than 8
million patients and replaced the site's homepage with a ransom note
demanding $10 million for the return of the records, according to a posting
on Wikileaks.org, an online clearinghouse for leaked documents.
Wikileaks reports that the Web site for the Virginia Prescription Monitoring
Program was defaced last week with a message claiming that the database of
prescriptions had been bundled into an encrypted, password-protected
Date: May 8, 2009 3:24:58 PM EDT
From: Ari Ollikainen <ariolteco.com>
Subject: UCBerkeley health service hacked, with 160,000 at risk of ID theft
[From Dave Farber's IP]
[Source: Henry K. Lee, UC hacking leaves 160,000 at risk of ID theft,
*San Francisco Chronicle*, 8 May 2009; PGN-ed]
Overseas hackers may have stolen confidential information belonging to tens
of thousands of students and alumni at UC Berkeley and Mills College after
gaining access to computer databases at the Berkeley campus' health services
center. The databases contained Social Security numbers, health-insurance
information and non-treatment medical information, such as immunization
records and names of some of the doctors that people may have seen and dates
of medical visits, said campus spokeswoman Janet Gilmore. The hackers had
access to the information for six months before they were discovered. The
breach exposed 160,000 people to possible identity theft, Gilmore said. The
university is contacting potential victims, who should consider placing a
fraud alert on their credit reporting accounts. Among those at risk are
3,400 students at Mills College in Oakland who received, or were eligible to
receive, health care at UC Berkeley.
Date: Thu, 30 Apr 2009 14:26:10 -0400
From: Jeremy Epstein <jeremy.j.epsteingmail.com>
Subject: How to guarantee bad passwords
Getting users to choose good passwords and not write them down is always a
challenge. It's a tradeoff - if you make the requirements too loose, then an
attacker can guess the password. Make it too complex, and users have to
write them down. The rules should be proportional to the sensitivity of the
data that's accessible - read-only access to a newspaper shouldn't require
as strong a password as financial or health information.
In the "too loose" category, the extreme case I've run into was a web site
used for storing personnel information - which should have had relatively
strong requirements - that required a two character password. No quality
restrictions, no frequency of changes, nothing. Bad choice.
Today, I ran into the other end of the spectrum. A site that requires
* have a minimum length of 9 characters
* must contain two upper and two lower case characters
* must contain two digits and two special characters
* must be different from the last 9 passwords you've used
* must not contain a single quote
But the kicker: passwords may not contain any word of two letters or
more. That's apparently determined (as best as I can tell through trial and
error) by comparing every substring to a dictionary. So a password like
97to$%ABC isn't acceptable, because "to" is a word. And 3-5zq?jbeLN isn't
valid either, because "be" is a word. Presumably a1b2c3d4e5** would be a
valid password, though. (I didn't try that one.) The helpful support person
suggested not having any two letters in sequence to avoid tripping over the
rule. Human usability, anyone?
Oh, and the password expires every 60 days, so just about when you've come
up with something that matches their criteria, it's time to change again.
Now granted this site has some sensitive information, but wouldn't it make
more sense to use certificate-based authentication, which is far harder to
attack in a brute force manner than passwords? (Assuming, that is, that
you're not using certificates with MD5 signatures.)
I'd bet that 90% of their users have the passwords written down.
Date: Fri, 1 May 2009 21:54:19 -0400 (EDT)
From: danny burstein <dannybpanix.com>
Subject: Lexis Nexis does an Oopsis. Data breach...
LexisNexis Warns 32,000 of Possible Data Breach [WINS radio news]
The LexisNexis online information service is warning 32,000 people their
personal information may have been improperly accessed in a credit card
fraud scheme that postal officials say bilked hundreds.
New York-based LexisNexis says in a letter mailed Friday that former
customers of the service may have viewed information including names, birth
dates and Social Security numbers.
Date: Wed, 6 May 2009 14:21:52 -0400
From: George Mannes <gmannesgmail.com>
Subject: "Server issues" delay Nielsen ratings
Brian Stelter, TV Networks Frustrated by Lengthy Ratings Delay,
*The New York Times*, 6 May 2009
ABC is deciding in the next two weeks whether to renew the TV show Castle.
But the nation's television networks have not received the ratings for
Castle or for any other show since Saturday. Nielsen Media Research, in the
midst of a systems breakdown, has failed to deliver ratings for four days in
a row, and the networks are increasingly impatient.
Without the overnight ratings that decide the fates of shows, producers and
sometimes executives, the networks are flying blind only days before they
make pivotal decisions about next season's schedules. Imagine running a
movie theater without knowing how many tickets are being sold.
Nielsen attributed the delay to unspecified `server issues'. The overnight
ratings for Sunday, Monday and Tuesday are delayed, as well as the broader
TV rankings for last week. ``Since it's necessary to release the data in
sequence, we must process Sunday's TV ratings prior to the release of any
days this week. We're working around the clock to get the TV ratings back
Date: Fri, 8 May 2009 14:13:03 -0400
From: ACM TechNews <technewsHQ.ACM.ORG>
Subject: Researchers Take Over Dangerous Botnet
Dark Reading (04 May 2009) Higgins, Kelly Jackson, ACM TechNews, 8 May 2009
University of California-Santa Barbara (UCSB) researchers temporarily
commandeered an infamous botnet known for stealing financial data and found
that the threat it represents is even greater than had been originally
assumed. The Torpig/Sinowal/Anserin mini-botnet targets organizations and
users to steal bank account information or other sensitive personal data.
It is considered more dangerous than big-name botnets because of its small
scale and stealthiness. Torpig uses drive-by download attacks as its
initial mode of infection, and upon infection the botnet can unleash crafty
phishing attacks that produce bogus but authentic-looking Web pages and
forms that trick users into exposing their credentials. The UCSB
researchers accumulated approximately 70 GB of data for the 10 days they
were in control of Torpig, and in that period the botnet stole banking
credentials of 8,310 accounts from more than 400 financial institutions,
including PayPal, Capital One, E-Trade, and Chase. Nearly half of the 1,660
stolen debit and credit card accounts the researchers counted belonged to
victims in the United States. "The level of sophistication, the amount of
data that it is able to steal, and the fact that it has been active for more
than three years is truly remarkable," says UCSB researcher Brett
Stone-Gross. The researchers' disclosures provoked debate on whether the
information they exposed about Torpig, its workings, and its victims could
compromise efforts to eventually undo the botnet. "This [research] does
create a road map ... for the [botnet] criminals to fix, and not just for
others to exploit," says RSA's Sean Brady.
Date: Wed, 06 May 2009 20:39:32 -0700
From: Gene Wirchenko <genewocis.net>
Subject: Materials Database Problem
[This is a scary excerpt from a recent post in alt.folklore.computers. GW]
Unlike you, I actually still have a job. Guess what I do? I'm a Database
Manager. I've had to deal with and fix more f**kups than you've had hot
For example, a current task is updating the TACO table released by the
Illinois Environmental Protection Agency. Standard procedure is to compare
the current update to the previous release and check for discrepancies.
Now, it's possible that the CAS number of Tin that was incorrect in the old
table (440-31-5 instead of 7440-31-5) was a typo on the part of the person
entering the data.
But when I noticed the CAS number of bis(2-chloroisopropyl)ether was
39638-32-9 instead of 108-60-1, that is definitely NOT a typo (unless the
person entering the data sneezed at that moment.)
It was clearly a f**kup on the part of the state, obviously caused by the
fact that bis(2-chloroisopropyl)ether & 2,2'- dichlorodiisopropylether are
both C6 H12 CL2 O.
Date: Wed, 6 May 2009 11:46:47 -0700
From: Bart Thielges <Bart.Thielgessynopsys.com>
Subject: Strange cash register arithmetic favors the house
Yesterday I noticed an item on sale for a great price so I picked up four
and proceeded to the checkout. When the cashier rung up the items oddly the
fourth was charged at the non sale price. We quickly surmised that there
was probably a limit of three available at the sale price.
Since I wasn't interested in paying the normal price for the fourth item, I
asked to take that one back. Normally this is a quick routine matter. The
cashier voids the item by hitting a key on the cash register and then
re-scans the item to deduct it from the tab. What happened next was
bizarre. Instead of deducting the normal price of $3.49 that I was charged,
it deducted the sale price of $1.88. Hmmm.... I was assuming that the
register would have used a stack model, removing the last item that had
transacted at $3.49. Maybe the register software was using FIFO instead ?
Then it got more surreal.
Fortunately no-one was waiting in line so the cashier voided the other 3
items, hoping to clear the FIFO. But all 4 items deducted the sale price of
$1.88 from the total. None of them deducted the normal price of $3.49. So
here we have the strange arithmetic of A+B+C+D - (A+B+C+D) > 0. In fact if
the cash register software is to be believed $0.00 = $1.61 which is the
amount remaining on the cash register that I would pay for a null basket.
The only way out was to void the entire transaction (which required the
manager to intervene) and start over. So here we have a state machine that
enables easy access to an unfavorable state (overpaying for a item) but
difficult to transition back out to the favored state (because the manager
is required). This creates something of a trap that will result in some
customers overpaying. If you make the mistake of bring sale items that
exceed the limit (easy to do since the limit was not posted), you will
overpay unless you and the cashier take these actions :
1) Notice the overcharge (I would have missed this had the cashier not been
2) Notice that voiding an item does not remove the overcharge and/or :
3) Call a manager to void the entire transaction
This occurred at a large USA retail chain with thousands of stores and
millions of customers. This retailer stands to reap a windfall profit from
customers who don't notice that they are being overcharged.
If a similar situation occurred in casino gaming machines you can bet that
regulators would become quickly involved.
Date: Mon, 9 Mar 2009 08:57:21 -0400
From: Jonathan Kamens <jikkamens.brookline.ma.us>
Subject: Re: Credit card numbers *not* plucked out of the air at FL Best Buy
(Re: RISKS 25.60)
[Apologies for missing this one earlier. Thanks to JK for poking me. PGN]
It would be good if people would do the research necessary to avoid
This theft of credit-card numbers was not accomplished by eavesdropping on
WiFi networks, but rather through the use of a skimmer. See, for example,
for additional details.
Date: Wed, 6 May 2009 11:34:42 +0200
From: Infos about ECRTS <em-rt-infowu-wien.ac.at>
Subject: Real-Time Networks RTN'09
[The paper deadline is 10 May 2009. Strangely, security is not
explicitly mentioned in the list of potential topic areas. PGN]
8th International Workshop on Real-Time Networks (RTN'09)
June 30, 2009, Dublin, Ireland
in conjunction with the
21th Euromicro Intl Conference on Real-Time Systems (ECRTS'09)
The workshop is seeking original research and position papers
dealing with hot topics in real-time networks.
Date: Thu, 29 May 2008 07:53:46 -0900
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribecsl.sri.com or risks-unsubscribecsl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 25.66