Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: RISKS List Owner (riskocsl.sri.com)
Date: Fri Mar 26 2010 - 13:15:19 CDT
RISKS-LIST: Risks-Forum Digest Friday 26 March 2010 Volume 25 : Issue 97
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Unmanned goods train crash in Norway (Martyn Thomas)
NRC to VA: you endangered patients, you owe us $227k (Danny Burstein)
FBI Faces New Setback in Computer Overhaul (Eric Lichtblau via David Lesher)
IRS systems can't be trusted (Randall Webmail)
Risks to the power grid (Gary McGraw)
Pwn2Own 2010: iPhone hacked, SMS database hijacked (Ryab Naraine via
Warnings about Wifi-enabled air travel (David Strom via Gabe Gold)
Cops inadvertently harass couple: real address used as test data
Police raid wrong address 50+ times (David Lesher)
UK SAS base "exposed" through Google Streetview (Peter Baker)
Netflix Data Deanonymized (Bob Gezelter)
Hacked "miss a payment, brick your car" system (Jeremy Epstein)
Colombian vote count delayed (PGN)
Surveillance via bogus SSL certificates (Matt Blaze)
More on School Webcam Scandal (Gene Wirchenko)
Couldn't logout from Facebook Mobile (jidanni)
Re: Old models of PS3 failed to connect to network (DoN Nichols)
Abridged info on RISKS (comp.risks)
Date: Wed, 24 Mar 2010 15:15:27 +0000
From: Martyn Thomas <martynthomas-associates.co.uk>
Subject: Unmanned goods train crash in Norway
Several railway cars in a 16-car train broke loose, sped at 100km/h,
derailed, smashed into a building, killed three people, injured three
others, and wound up in a fjord.
Date: Thu, 18 Mar 2010 11:55:34 -0400 (EDT)
From: danny burstein <dannybpanix.com>
Subject: NRC to VA: you endangered patients, you owe us $227k
The Nuclear Regulatory Commission has proposed a $227,500 fine against the
Department of Veterans Affairs (DVA) for violations of NRC regulations
associated with an unprecedented number of medical errors identified at the
Veterans Affairs Medical Center in Philadelphia (VA Philadelphia). Medical
errors at VA Philadelphia involved the incorrect placement of iodine-125
seeds to treat prostate cancer. Out of 116 procedures performed between 2002
and 2008, 97 were executed incorrectly. ... [NRC press release]
[I'm not entirely comfortable with their use of the term "executed" in
Date: Fri, 19 Mar 2010 09:20:50 -0400
From: David Lesher <wb8fozpanix.com>
Subject: FBI Faces New Setback in Computer Overhaul (Eric Lichtblau)
[Source: Eric Lichtblau, *The New York Times*, 18 Mar 2010]
The Federal Bureau of Investigation has suspended work on parts of its huge
computer overhaul, dealing the agency the latest costly setback in a
decade-long effort to develop a modernized information system to combat
crime and terrorism. The overhaul was supposed to be completed this fall,
but now will not be done until next year at the earliest. The delay could
mean at least $30 million in cost overruns on a project considered vital to
national security, Congressional officials said. FBI officials said that
design changes and "minor" technical problems prompted the suspension of
parts of the third and fourth phases of the work, which is intended to allow
agents to better navigate investigative files, search databases and
communicate with one another. The decision to suspend work on the $305
million program is particularly striking because the current contractor,
Lockheed Martin, was announced to great fanfare in 2006 after the collapse
of an earlier incarnation of the project with the Science Applications
So after both classified and unclassified reviews, Congressional scrutiny,
and "we'll do better next time" promises...
Esther Dyson: ``Always make new mistakes.''
Date: March 23, 2010 5:41:53 PM EDT
From: Randall Webmail <rvh40insightbb.com>
Subject: IRS systems can't be trusted
According to a new Government Accountability Office report, the Internal
Revenue Service has failed to fix almost 70 percent of control weaknesses
and program deficiencies identified a year ago. The report concludes that
the IRS's failure to use strong passwords, install patches quickly, and
adequately control access to computer systems and information makes the
system vulnerable to insider threats and attacks from outside.
Date: Fri, 26 Mar 2010 08:18:56 -0400
From: Gary McGraw <gemcigital.com>
Subject: Risks to the power grid
We have known for years that the power grid system is a fragile engineering
kludge. Adopting Internet technology to bring it kicking and screaming into
this Millennium may not help. Some of the RISKS described in
A keynote talk I gave for the NRECA (video)
My colleague Sammy's talk
An informIT article I just wrote about the subject:
The Smart (Electric) Grid and Dumb Cybersecurity
Date: Thu, 25 Mar 2010 23:25:39 -0400
From: Monty Solomon <montyroscom.com>
Subject: Pwn2Own 2010: iPhone hacked, SMS database hijacked (Ryan Naraine)
A pair of European researchers used the spotlight of the CanSecWest Pwn2Own
hacking contest [in about two weeks] to break into a fully patched iPhone
and hijack the entire SMS database, including text messages that had already
been deleted. Using an exploit against a previously unknown vulnerability,
the duo -- Vincenzo Iozzo (Zynamics) and Ralf Philipp Weinmann (University
of Luxembourg) -- lured the target iPhone to a rigged Web site and
exfiltrated the SMS database in about 20 seconds. The exploit crashed the
iPhone's browser session, but Weinmann said that, with some additional
effort, he could have a successful attack with the browser running.
"Basically, every page that the user visits on our [rigged] site will grab
the SMS database and upload it to a server we control," Weinmann explained.
Iozzo, who had flight problems, was not on hand to enjoy the glory of being
the first to hijack an iPhone at the Pwn2Own challenge.
[Source: Ryan Naraine, zdnet, datelined Vancouver BC, 24 Mar 2010; PGN-ed]
Date: Mon, 15 Mar 2010 12:40:07 -0400
Subject: Warnings about Wifi-enabled air travel
-- ------ Original Message --------
Date: Mon, 15 Mar 2010 08:06:49 -0500
From: David Strom <davidstrom.com>
Web Informant 15 March 2010: Warnings about Wifi-enabled air travel
I have been on a few planes in the past couple of weeks that are
Wifi-enabled. American has created an entirely new opportunity for identity
thieves here, and while the opportunity to surf and e-mail at 30,000 feet is
tempting, count me out for those that will become frequent users.
The problem is that most people get lost in the wonderfulness of the Web and
tend to forget that their seatmates can watch every move, see every
keystroke (it doesn't take much to follow along, especially at the speed
that many people type), and collect all sorts of information. By the end of
one flight I was on, I had Larry (not his real name) the HP sales rep's
Amazon account, read several of his e-mails, got to see his new sales
presentations that HP corporate sales office had sent him, figured out that
he was a recent hire as he was checking HP's Intranet to understand some
corporate travel policies, found out who his clients that he had just
visited were, and more.
Now, I wasn't really paying that much attention. I was tired, and just
wanted to be left by myself for the trip. And I think we exchanged maybe ten
words between us all told. But if I really wanted to do some damage, I could
be all over Larry's accounts by now (he had some nice taste from what I
could see he was looking for on Amazon, too).
Yes, people have been using laptops on planes for years. I used to do it all
the time, back when the middle seat was rarely occupied and you didn't have
to almost disrobe to get to the gate. But those days are almost as much part
of history as calling the people that worked on planes stews. The difference
is now that we have Internet piped directly to the seat, people are free to
go anywhere and everywhere, and where they go are places that are critical
to their life. I wouldn't be surprised if someone was doing their online
So people (and HP, you might want to consider this a corporate-wide
purchase) if you are going online up in the air, get a privacy filter for
your laptop so that no one else can see your screen. They cost about
$30. This isn't complex technology: it has been available almost as long as
Windows has been around. And while you are at it, dim your screens to save
on power anyway (Larry had one of those nifty power-packs to boost his
battery, too). Or better yet: don't work on anything important on a crowded
plane -- and these days, what other kinds of planes are there? Bring a
book or watch a movie if you must be immersed in your electronic cocoon.
I am reminded of a story from my early days as a reporter for PC Week, back
in the late 1980s. We were very scoop-oriented, and would always try to get
information from the vendors through all sorts of means, some of them
probably unethical or at least uncomfortable in the light of the present
day. One of our reporters was having dinner with her boyfriend (now husband)
at a quaint and cozy Cambridge Mass. restaurant, and overhead two
businessmen at the next table gossiping about work. What was unusual was
they were speaking rapid German, and both were working for Lotus
Development, at the time a powerhouse spreadsheet player. They were in town
to discuss the company's future product plans. Trouble was, my colleague
spoke German fluently, and got a couple of scoops that were published the
next week in the paper. No one knew who the source of the leak was.
Remember loose lips sink ships, the World War 2 posters put up by the
government? We need something similar on Wifi-enabled planes. Be careful out
there people. You never know whom you are sitting next to.
Date: Sun, 21 Mar 2010 01:42:00 -0400 (EDT)
From: msbvex.net (Mark Brader)
Subject: Cops inadvertently harass couple: real address used as test data
Note especially the last paragraph in this one.
In 2002 the New York Police Department was testing a new computer system and
put in "random material" as test data. This included the real address of
Walter and Rose Martin -- which inadvertently ended up in the system as live
data. The result was that the Martins' address appeared in police computers
as the address of a variety of crime suspects and victims; so police were
repeatedly banging on the door demanding the suspects appear, as well as
sending them mail.
In 2007 the Martins finally complained to the police commissioner, but the
problems remained unresolved. By now the Martins are 82 and 83 years old,
police have come to their house 50 times, and the story has reached the news
media. Both the mayor, Michael Bloomberg, and the police commissioner, Ray
Kelly, have apologized to the couple, and the problem is now supposed to
have been fixed.
Date: Fri, 19 Mar 2010 08:58:49 -0400 (EDT)
From: "David Lesher" <wb8fozpanix.com>
Subject: Police raid wrong address 50+ times
[Also noted here:]
Maybe they need a special doorbell "For police raids..."
Once again, the lack of sanity checks at multiple levels rears its head.
a) Did each raid have a valid warrant? If so, who obtained the warrants?
Who signed the affidavits? What judge approved them? [Is this process
b) After fifty raids, the NYPD has not yet figured out it is worth a
moment's thought before kicking their way in?
[Harald Hanche-Olsen added: New York's police chief has delivered a
cheesecake to an elderly couple in Brooklyn, to apologise for dozens of
mistaken police visits to their home. PGN]
Date: Sat, 20 Mar 2010 14:18:33 +0100
From: Peter Baker <peter.bakersafe-mail.net>
Subject: UK SAS base "exposed" through Google Streetview
A UK newspaper reports "fury" as Google Streetview was found to display
detailed pictures of the SAS headquarters
I would personally wonder about perimeter security if a vehicle that is very
obviously taking pictures can drive past without a discussion with either
the driver in question or the organisation behind it. However, it made me
curious if that other "off the map" place was featured, and yes, ECHELON is
available in Streetview too <http://bit.ly/GoogleEchelon> (well, for the
moment). The RISK is obvious: if you don't want your perimeter in the news,
patrol it. If you want to remove such pictures, have a *quiet* word or
expect the Streisand effect to strike with a vengeance.
It wasn't Google Streetview exposing the base, it was the resulting
Date: Sun, 14 Mar 2010 11:30:50 -0500
From: Bob Gezelter <gezelterrlgsc.com>
Subject: Netflix Data Deanonymized
The movies you rent may tell a lot about you, perhaps more than you may
want. This collation hazard, collating anonymized data with other data to
de-anonymize the data has serious implications. This hazard was noted in
RISKS many years ago, with regards to pharmacy data (which was not
protected) and medical files (which were protected) [to Editor: I do not
have the reference at hand, it may be pre-online RISKS, perhaps you recall
In The New York Times Bits blog, Steve Lohr published an article noting the
latest round of the Netflix competition has been canceled. [see
Apparently, researchers at the University of Texas were able to unmask the
data. [see http://arxiv.org/PS_cache/cs/pdf/0610/0610105v2.pdf].
This is only the latest in a series of episodes involving "collation", a
hazard that was included in "Security on the Internet" (Chapter 23, Computer
Security Handbook (1995), section 23.4, pp 23-6) and its 2002 sequel
(outline available at
The mass adoption of micro-blogging and applications that reveal ones
physical location only make this hazard more severe. I daresay this will not
be the last we see of anonymized data becoming uncloaked through collation.
- Bob Gezelter, http://www.rlgsc.com
Date: Wed, 17 Mar 2010 19:16:24 -0400
From: Jeremy Epstein <jeremy.j.epsteingmail.com>
Subject: Hacked "miss a payment, brick your car" system
A vendor offers a black box system that will remotely disable a car's
ignition or start the horn honking, to allow easy recovery if the owner
doesn't make the car payments. A laid-off auto dealership worker took
advantage of the system and got his revenge for being laid off by logging
into the system using a (former) co-worker's credentials, and going through
one-by-one and disabling all of the cars sold by his former employer
equipped with the device. The vendor of the remote control device says this
is the first time it's ever happened. (I'd guess it's not the last!)
The Risk? Any time you have a remote control device, you've opened a new
attack surface. While this attack was essentially an insider (since the
person knew a co-worker's password), what's the odds that someone can guess
passwords, or find them posted on monitors in the car dealership, or find a
vulnerability in the web application, or .... There are also potential
attacks going directly against the devices, completely bypassing the
web-based control system.
I'd bet that the dealerships were assured the system is completely
secure, because it uses SSL.
[Also noted by Steven J Klein, and Steve Summit, who commented: The Risks?
The usual: An unsuspected, perhaps too-powerful system, which although it
had some safeguards, perhaps didn't have enough... David Lesher noted a
UPI item, and remarked: Gee, shades of the Greek Wiretapping Saga, and
multiple other cases. When you build Big Brother in, you can expect
Date: Wed, 17 Mar 2010 18:02:02 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Colombian vote count delayed
Unidentified attackers reportedly struck the computerized system used to
transmit voting data in Colombia's legislative elections, disrupting the
vote count just as the polls closed and continuing. Three days after the
polls, final results still had not been released. (AFP, 17 Mar 2010)
Date: March 24, 2010 3:09:19 PM EDT
From: Matt Blaze <mabcrypto.com>
Subject: Surveillance via bogus SSL certificates
[From Dave Farber's IP list]
Over a decade ago, I observed that commercial certificate authorities
protect you from anyone from whom they are unwilling to take money. That
turns out to be wrong; they don't even do that.
Chris Soghoian and Sid Stamm published a paper today that describes a simple
"appliance"-type box, marketed to law enforcement and intelligence agencies
in the US and elsewhere, that uses bogus certificates issued by *any*
cooperative certificate authority to act as a "man-in-the-middle" for
encrypted web traffic.
Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf
What I found most interesting (and surprising) is that this sort of
surveillance is widespread enough to support fairly mature, turnkey
commercial products. It carries some significant disadvantages for law
enforcement -- most particularly it can be potentially can be detected.
I briefly discuss the implications of this kind of surveillance at
Also, Wired has a story here:
[IP Archives: https://www.listbox.com/member/archive/247/=now
Date: Mon, 22 Mar 2010 13:44:51 -0700
From: Gene Wirchenko <genewocis.net>
Subject: More on School Webcam Scandal
InfoWorld Home / Adventures in IT / Notes from the Field / Robert X. Cringely
March 22, 2010
High school Webcam follies, part II: Dumb and dumber
The Lower Merion School District's 'Webcamgate' scandal continues.
Cringely updates us on the latest twists and turns
Though it's not getting quite the 24/7 cable news treatment as it garnered
when it first hit the wires, the Webcam scandal in Southeastern Pennsylvania
(aka "Webcamgate") is still twisting and turning in unpredictable ways. We
still don't know exactly what happened, but we do know there are lessons
here for everyone concerned about IT security and personal privacy.
Date: Mon, 22 Mar 2010 05:48:56 +0800
Subject: Couldn't logout from Facebook Mobile
There I was at a certain university library who had blocked access to
facebook.com. However I found I could still get through to Facebook
Moblie: m.facebook.com. All was hunky-dory until I tried to logout, a
link which surprise, surprise, depends on accessing the main
facebook.com site! So I was forced to rid the cookies and close the browser.
Date: Fri, 19 Mar 2010 21:12:00 -0500
From: "DoN. Nichols" <dnicholsd-and-d.com>
Subject: Old models of PS3 failed to connect to network due to
leap-year miscalculation (Ishikawa, RISKS-25.96)
I think that the problem was more a miscalculation of the year, as
apparently occurred in some cell-phones and was reported here at the
beginning of the year.
I encountered it in my watch -- a Citizen "Eco" solar-powered watch which
updates itself nightly from whatever time station is most reachable. (For
the USA, it is WWVB.) There is one station in Europe, and two in Japan
which it also knows about.
Anyway -- I first became aware of the problem after the rollover from
February 2010 to March 2010. It started displaying the day of the month one
lower than it should have been.
On going into the setting mode to correct this, I discovered that it thought
that the year was 2016. Apparently, this had been since the beginning of
2010, but since the year is only displayed in setting mode, it was not
obvious until the rollover. Since 2010 is not a leap year, but 2016 *is*,
it started calculating the day of the month incorrectly -- presumably from
an internal count of days since the start of the year.
I fixed the date, and it recurred after the nighttime contact with WWVB --
every night, so I just turned off the automatic updates while tracing down
the proper way to get it fixed.
The problem seems to be in the conversion of the BCD coded information from
WWVB to the binary data within the watch. What it was doing was converting
the bottom four bits to a decimal digit and setting that, then taking the
next four bits and adding it shifted up by four bits -- thus adding a value
of 16 to the total, instead of multiplying the next to LSD by ten and adding
it to the binary value.
Since the upper two digits of the year are correct, I presume that it is
simply using the two lowest digits and adding to 2000 internally. So -- I
wonder what happens when we reach 2100? Not likely to be a problem for me,
unless there are some miraculous advances in longevity medicine. :-) And I
have doubts that the battery will last that long, even with proper sun
exposure to keep it charged. And I also doubt that the battery will remain
in production that long. So it will probably become non-functional long
before the 2100 date arrives.
To their credit -- once I got in touch with the right part of the Citizen
repair organization (no simple task, given the layout of their web page)
they instantly recognized the problem, told *me* the model of the watch, and
started processing to get me a free shipping via UPS to their site. (I have
about three years of the five year warranty left, but they did not even ask
They have just received the watch, and I am now awaiting its return in an
Subsequent e-mail with them determined that they had discovered the problem
and sent information to the dealers to send the watches back for a firmware
update (which they are calling a software update). Some did, and some did
I purchased mine about the time that they discovered the problem and issued
the notice, so I don't know whether it should have been sent back at the
time I got it or not.
The dealer was totally puzzled by the problem, and their own contact with
the repair organization suggested that it was a problem of the battery dying
(and the indicator showed a perfectly good charge on it). So -- they have a
similarly difficult information channel. All watches made after the early
part of 2008 were shipped with the firmware fixed. (I tested one at the
store to make sure of this before I was told that they were fixed by the
http://www.d-and-d.com/dnichols/DoN.html Voice: (703) 938-4564
Date: Thu, 29 May 2008 07:53:46 -0900
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribecsl.sri.com or risks-unsubscribecsl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 25.97