Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.10
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 29 Nov 2012 12:00:40 PST

RISKS-LIST: Risks-Forum Digest  Thurs 29 November 2012  Volume 27 : Issue 10

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Commentary on L'Aquila earthquake verdict (Rob Seaman)
Drivers adapt to red-light cameras (Jim Reisert)
Close margin in Alaska senate race prompts recount (PGN)
Skunk knocks Colorado TV station off air (Monty Solomon)
Cambridge to Study Technology's Risk to Humans (Sylvia Hui via ACM TechNews)
U.S. Congress considers mandating smart cards for Medicare beneficiaries
  and providers (Kevin Fu)
How least-cost routing slams rural telephone service, getting worse
  (Lauren Weinstein)
"Skype vulnerability may have exposed your messages" (Woody Leonhard via
  Gene Wirchenko)
SEC Employees Brought Sensitive Data to Black Hat... (PGN)
NASA Suffers Large Data Breach Affecting Employees, Contractors, ...
  (Bob Charette via Ed Levinson)
"Public clouds; risky business for MSPs" (Gene Wirchenko)
Hotel room door locks vulnerable to hacking (Mark Thorson)
RFID used to track school students (Nick Brown)
More on suspended student refusing to wear tracking device (Tim Cushing
  via Monty Solomon)
Barnes & Noble Ebooks expire with your credit card! (Tim Cushing via
  Monty Solomon)
Syria blacks out the Internet (Paul Saffo)
Excellent article on Chinese censorhip (Philipp Winter/Jedidiah Crandall
  via PGN)
When It Comes to Security, We're Back to Feudalism (WiReD via Dave Farber)
"Malware uses Google Docs as proxy to command and control server"
  (Lucian Constantin via Gene Wirchenko)
Trojan sent blackmails from PCs. Japanese Police arrested PC owners
  (Chiaki Ishikawa)
Cyber Security and Information Intelligence Research Workshop
  (Frederick T. Sheldon)
Abridged info on RISKS (comp.risks)


Date: Fri, 23 Nov 2012 17:11:01 -0700
From: Rob Seaman <seaman () noao edu>
Subject: Commentary on L'Aquila earthquake verdict

Between Superstorm Sandy and the U.S. election, it has been a busy month,
and the verdict of the l'Aquila Earthquake trial has yet to be discussed on
RISKS.  In engineering it is unsurprising that with expertise comes
responsibility, occasionally rising to criminal penalties when a bridge
falls down or a programming mistake causes a medical mishap or modern
infrastructure to fail.

Yet early opinions on the conviction of seven seismologists and other
experts resulting from public comments they made prior to the 2009
earthquake in l'Aquila, Italy suggested a great resistance in the scientific
community to similar penalties, here in "failing to predict an earthquake".
For example:


Contrasting opinions, well worth reading and mulling over, are beginning
to emerge from others in the scientific community:

Perhaps the definition of "pure science" is "science I can't be thrown in
jail over".

Rob Seaman, National Optical Astronomy Observatory


Date: Tue, 27 Nov 2012 18:33:04 -0700
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Drivers adapt to red-light cameras

I think the title says it all.

"A pilot program for red-light cameras in New Jersey appears to be changing
drivers' behavior, state officials said, noting an overall decline in
traffic citations and right-angle crashes.  The Department of Transportation
also said, however, that rear-end crashes have risen by 20% and total
crashes are up by 0.9% at intersections where cameras have operated for at
least a year."


Jim Reisert AD1C, <jjreisert () alum mit edu>, http://www.ad1c.us

  [Fascinating!  Collateral damage becomes collinear damage.  In NYC, I long
  ago observed that you should never stop for a light changing to red,
  particularly on a staggered-timing north-south avenue.  If you do, you are
  likely to be rear-ended by a pile-up of perhaps three taxis.  PGN]


Date: Wed, 28 Nov 2012 3:30:20 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Close margin in Alaska senate race prompts recount

The *Anchorage Daily News* reports that Alaska will conduct a recount of
votes in one contest for the state senate.  The race was certified at 7593
to 7542 votes -- a margin of 51.  The nominal loser has requested a recount,
which will be conducted in Anchorage according to the title of the article,
and in Juneau according to the last sentence of the article!



Date: Tue, 13 Nov 2012 21:09:01 -0500
From: Monty Solomon <monty () roscom com>
Subject: Skunk knocks Colorado TV station off air



Date: Wed, 28 Nov 2012 11:19:25 -0500
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Cambridge to Study Technology's Risk to Humans

Sylvia Hui, Associated Press item (25 Nov 2012)
via ACM TechNews, Wednesday, November 28, 2012

The potential risks that super-intelligent technologies pose to humans will
be the focus of the proposed Center for the Study of Existential Risk at
Cambridge University.  The center will bring together philosophers and
scientists to study the idea that in this or the next century machines with
artificial intelligence could pursue their own interests.  "It tends to be
regarded as a flaky concern, but given that we don't know how serious the
risks are, that we don't know the time scale, dismissing the concerns is
dangerous," says Cambridge philosophy professor Huw Price.  "What we're
trying to do is to push it forward in the respectable scientific community."
Price says the precise nature of the risks is hard to forecast, but advanced
technology could be a threat when computers start to channel resources
toward their own goals at the expense of human concerns such as
environmental sustainability.  Price is co-founding the project with Martin
Rees, a professor of cosmology and astrophysics, and Jann Tallinn, one of
the founders of the Internet phone service Skype.  Cambridge plans to launch
the center next year.


Date: Wed, 28 Nov 2012 23:43:10 -0500
From: Kevin Fu <kevinfu () cs umass edu>
Subject: U.S. Congress considers mandating smart cards for Medicare
   beneficiaries and providers

This morning, I testified in the U.S. House on the risks of technology to
combat waste, fraud and abuse in the Medicare program.  My testimony focuses
on the expectations of smart cards to reduce fraud.  My testimony also
highlights the types of fraud that remain in countries already using smart
cards for national health programs.  In short, there are several subtle
risks in the proposed pilot program---ranging from questionable
effectiveness and questionable evaluation methods to negative impact on
patient care.  I recommend ways to improve the utility of a pilot study.


Kevin Fu, Associate Professor, Computer Science & Engineering
University of Michigan, http://spqr.cs.umass.edu/ (lab moves to MI 1 Jan)


Date: Wed, 28 Nov 2012 11:10:54 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: How least-cost routing slams rural telephone service, getting worse

http://j.mp/StvI4l  (Addison Independent via NNSquad)

  "Farmhouses surrounded with many acres of fields, houses that may be miles
  apart. It's the geography and demographics of the area," Souza says. "It's
  the same reason that there's limited cell service in these areas. You
  might put up one cell tower, but the six it would take to provide complete
  coverage in the terrain are just not cost-justified."  A rural phone
  service provider like Shoreham Tel maintains a small network of its own
  copper wires, then connects with the rest of the world via "trunking" or
  switching centers connecting with a larger carrier. Shoreham Tel's lines
  have trunking with the network maintained by FairPoint.  "People in Sprint
  or Verizon don't have direct switching with us, but they do have direct
  with FairPoint's tandem switching. So FairPoint turns the call over to us
  and we terminate the call. The system has worked flawlessly for years,"
  Souza says.  "Then the least-cost routing issue emerged in the last three
  years. Entities started doing this, shaving every last penny out of
  it. Our customers aren't happy, and we understand that. But we can't
  control the other side of the system with calls coming at us."


Date: Wed, 14 Nov 2012 16:18:31 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Skype vulnerability may have exposed your messages" (Woody Leonhard)

Woody Leonhard, *InfoWorld*, 14 Nov 2012
Microsoft sat by for months before plugging a security hole that
could have allowed others to see all your stored Skype data


Date: Mon, 26 Nov 2012 10:30:17 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: SEC Employees Brought Sensitive Data to Black Hat...



Date: Thursday, November 15, 2012
From: *Ed Levinson*
Subject: NASA Suffers Large Data Breach Affecting Employees, Contractors, ...

 From IEEE Spectrum blog by Robert N. Charette:

[On 14 Nov 2012,] NASA sent a message to all NASA employees informing them
of a data breach involving an agency stolen laptop.

According to the NASA message posted at SpaceRef.com on 31 Oct 2012, a NASA
laptop and official NASA documents issued to a Headquarters employee were
stolen from the employee's locked vehicle. The laptop contained records of
sensitive personally identifiable information (PII) for a large number of
NASA employees, contractors, and others.  Although the laptop was password
protected, it did not have whole disk encryption software, which means the
information on the laptop could be accessible to unauthorized individuals.
We are thoroughly assessing and investigating the incident, and taking every
possible action to mitigate the risk of harm or inconvenience to affected



Date: Tue, 20 Nov 2012 09:04:45 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Public clouds; risky business for MSPs"

CDN CURATED: Toronto MSP posts a blog about the risks of public clouds,
19 Nov 2012

opening paragraph:

If there was ever an example of why Public Cloud storage can be hazardous,
it was Go Daddy's service outage earlier this week. Thousands (or millions
-- depending on whom you ask) of domains were taken off line. Businesses not
only lost their websites, a number of them lost access to their e-mail. This
lasted for 6 hours.


Date: Thu, 29 Nov 2012 07:33:03 -0800
From: Mark Thorson <eee () sonic net>
Subject: Hotel room door locks vulnerable to hacking

An exploit revealed at the Black Hat conference is now suspected to be the
method by which hotel rooms are being burglarized.  A simple tool can plug
into a port on the locks, reveal the secret key, and open them.  The
manufacturer is refusing to upgrade the locks for free, which places many
hotel customers at risk.


Now you've got something to take your mind off the bedbugs.


Date: Mon, 26 Nov 2012 11:32:30 +0100 (CET)
From: "Nick Brown, Strasbourg, France" <nick.brown () free fr>
Subject: RFID used to track school students

The BBC reports (http://www.bbc.co.uk/news/technology-20461752) that a
school in Texas is using RFID tags to track student movements around campus,
apparently to satisfy a reporting requirement (apparently there is a
monotonic relationship between the number of students attending on any given
day and state funding, which is a whole separate discussion).

What I found surprising in this case is that the only (reported) opposition
to this seems to have been on religious grounds; one student claims*
that "an individual's acceptance of a certain code, identified with his or
her person, as a pass conferring certain privileges from a secular ruling
authority, is a form of idolatry or submission to a false god".  I'm not in
a position to judge whether that is a sincerely-held point of view, or
whether protests based on more secular reasoning --- such as, for example,
"this is a really, really terrible idea" --- have been rejected out of hand.
(After all, what could possibly go wrong with a system that displays and
records the exact whereabouts of teenagers throughout the day?)

* https://www.rutherford.org/files_images/general/11-21-2012_TRO-Petition_Hernandez.pdf


Date: Tue, 27 Nov 2012 23:45:19 -0500
From: Monty Solomon <monty () roscom com>
Subject: More on suspended student refusing to wear tracking device
  (Tim Cushing)

Tim Cushing, Court Temporarily Blocks School District From Suspending
Student For Refusing To Wear Student ID/Tracking Device, Techdirt, 27 Nov



Date: Tue, 27 Nov 2012 23:45:19 -0500
From: Monty Solomon <monty () roscom com>
Subject: Barnes & Noble Ebooks expire with your credit card! (Tim Cushing)

Tim Cushing, Barnes & Noble Decides That Purchased Ebooks Are Only Yours
Until Your Credit Card Expires, Techdirt, 27 Nov 2012



Date: Thu, 29 Nov 2012 10:50:56 -0800
From: Paul Saffo <paul () saffo com>
Subject: Fwd: Syria blacks out the Internet

This is a first -- a countrywide Internet blackout. It is going to have all
sorts of unexpected consequences, but frankly I am surprised it took them so
long to do it (they probably didn't know how)...

An Akamai chart shows the shutdown pretty dramatically.  Here is the
original report of the blackout with continuing coverage -- note the charts:

  [See also techcrunch.  PGN]


Date: Tue, 27 Nov 2012 13:56:49 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Excellent article on Chinese censorhip

Philipp Winter and Jedidiah R. Crandall,
The Great Firewall of China:
  How it blocks Tor and why it is hard to pinpoint
usenix;login: December 2012 vol 37 no 6


Date: Tue, 27 Nov 2012 10:17:59 -0500
From: Dave Farber <dave () farber net>
Subject: When It Comes to Security, We're Back to Feudalism (WiReD)

Some of us have pledged our allegiance to Google: We have Gmail accounts, we
use Google Calendar and Google Docs, and we have Android phones. Others have
pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads;
and we let iCloud automatically synchronize and back up everything.  Still
others of us let Microsoft do it all. Or we buy our music and e-books from
Amazon, which keeps records of what we own and allows downloading to a
Kindle, computer, or phone. Some of us have pretty much abandoned e-mail
altogether -- for Facebook.


Date: Tue, 20 Nov 2012 12:45:22 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Malware uses Google Docs as proxy to command and control server"

Lucian Constantin, IDG News Service, *InfoWorld*, 19 Nov 2012
Backdoor.Makadocs variant uses Google Drive Viewer feature to receive
instructions from its real command and control server


Date: Fri, 23 Nov 2012 04:15:05 +0900
From: "ISHIKAWA,chiaki" <ishikawa () yk rim or jp>
Subject: Trojan sent blackmails from PCs. Japanese Police arrested PC owners

In a few very public cases, backdoor trojan (Japanese press calls it virus)
sent threatening blackmails from unsuspecting people's PCs.

It is believed that the trojan probably was inside a free software like
photo-touching utility, etc. that the unsuspecting people downloaded from
bulletin board, etc. But the transfer vector is still sketchy.

These incidents happened this summer (2012).

These threatening messages caused complaints from the receivers and the
police moved.  However, the Japanese police branches were misled to believe
that the owners of the PCs sent these threatening messages.

The PCs were identified by the IP address used for sending the e-mail, or
posted a message to web interface of the recipients.

Since IP-address is a unique identifier, the PC can be uniquely
identified. And naturally, the owners of the PCs are suspect, correct?

One man in Osaka, from whose PC a threatening message (close to 250 bytes or
so) was uploaded within one second of the initial access to the city's web
page on July 29th was approached by the police and interrogated.

He told the police investigator he had no knowledge of it, and suggested
maybe someone could have hijacked the Wi-Fi he was using and other
possibilities. He denied sending the message vehemently to the repeated

Bu no avail. He was detained on 26 Aug 2012, and charged with a crime on 14
Sep. Access log record of the time period of the blackmailing on his PC's
seemed to have been erased by the trojan. This missing record of the crucial
date made the police more suspicious of the man and they thought that he
tried to hide his act.

So he was awaiting a trial.

However, a police in Mie prefecture who had charged another man in a similar
blackmail message case in early September, noticed a trace of strange file
in the man's PC. The COTS (commercial off-the-shelf) virus checker,
etc. could not identify it.  With the help from certain unnamed security
firms, Mie police concluded that there was a trojan on the man's computer
and the possibility of the trojan sending out or posting threatening
messages could not be ruled out.  So the man was freed one week after the

The Mie police further told the police in Osaka of their finding and the
suspicious file name (iesys.exe).

Osaka police based on this new information studied the first man's PC more
carefully (I suppose. It did check the first man's PC with COTS virus
scanner and such but found nothing before the original arrest.)  Osaka
police now figured that the same or similar trojan had been on the
computer. Trojan seems to have erased itself after the crime and that is why
it was not spotted earlier (but it seems the files could be recovered by the
police's tools now with the new knowledge.).

After considering this infection and that uploading 250+ bytes message in
one second is not humanly possible with simple typing, and choosing buttons
using mouses to navigate the web manually, etc., the man facing trial was
freed on 21 Sep.

After these two publicised cases were reported on TV news and the danger of
these trojans and the ordeal of the two men were covered for about a week,
the media uncovered another case of a man in Tokyo, and he "admitted" that
he sent a threatening e-mail from a PC in the house. (He thought he was
trying to protect another family member who he thought had sent out the
threatening e-mail. We learned later that a trojan sent the threatening

We still learned of another case: a youth in his teens also admitted sending
a threatening blackmail from his PC in a similar case, and his case was
closed quickly as no contest since the youth also "admitted" that he sent
the blackmail.  (In this case, it seems that the youth figured he would not
be charged a harsh penalty and could come of the case quickly by "admitting"
the charge falsely.)

Now, whoever masterminded the operation of these trojans, came out from the
dark and sent the details of his/her operation to a lawyer who appeared in a
TV news segment covering these cases.

The e-mail sent from a server in a foreign country contained the detail of
the blackmail messages which only the recipient and the police knew. So now
police believes these messages from the purported mastermind are genuine.
This mastermind told the lawyer that the teenager is innocent, and his/her
act was meant to make fun of the police and prosecutor's offices whose IT
skills are laughing stock of the town in his/her opinion. He/she was sorry
to cause griefs to the owners of the computers and thus came out from the

After the general outline of e-mails from the mastermind became public,
police and prosecutor's offices formerly apologized the suspected / arrested
/ charged people and the national police agency sent a notice about not
trusting IP address alone as a key evidence in a similar case.

To people in IT industry and readers of Risks, this is no brainer, but
before Japanese police and prosecutor's offices are made keenly aware of it,
some people suffered a very frustrating summer months.

Also, there has been heavy criticism of high-handed police investigation
that forced a few people to "admit" the crime which they did not commit
after all. There have been cases of police and prosecutor mistakes that
caused innocent people to be in jail for many years, and so Japanese public
is very critical of these issues today.  Even the court, which has been very
prosecutor-friendly, seems to think more carefully about police evidence in
some publicised cases.

Now, the Japanese police is asking for cooperation from overseas police
organizations and ISPs to trace the e-mails sent to the lawyers in the slim
hope that it may lead to the origin.

These all happened just because of recorded IP addresses.

I am reporting this now since English coverage of these incidents seem to be
rare (or is swamped with the flood of voting related issues this Fall).


Date: Tue, 27 Nov 2012 12:25:17 -0500
From: "Sheldon, Frederick T." <sheldonft () ornl gov>
Subject: Cyber Security and Information Intelligence Research Workshop

Cyber Security and Information Intelligence Research Workshop (CSIIRW)

The workshop will be help at Oak Ridge National Laboratory.  In the
aftermath of Hurricane Sandy, it seems fortuitous that we delayed the
workshop to 8-10 Jan 2013. I'm certain that many people would not have been
able to attend.

To register for the event, you can simply go to:
  www.csiir.ornl.gov/csiirw and  click on registration.

There are some points-of-interest starting with the advance program:

and invited speakers:

This year's theme is Federal Cyber Security R&D Program Thrusts, which is
based on the Federal Cybersecurity R&D Strategic Plan:

Frederick T. Sheldon, Ph.D., CSIIRW General Co-chiar
Oak Ridge National Laboratory, 576-1339 Office 576-5943 Fax


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.10

  By Date           By Thread  

Current thread:
  • Risks Digest 27.10 RISKS List Owner (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]