SYSSEC: February 2007 Archives

 

February 20, 2007

I was in SFO short-term parking today and as I pulled up to get my ticket, I saw something interesting:
  • The ticket machine runs Windows.
  • It was running a virus scanner
  • It was displaying a window indicating that it had detected a virus.

Regrettably I bungled my cell phone camera and was unable to get a photo.

Obviously, I'm unsurprised that these machines run Windows (though I wouldn't have been surprised with Linux or QNX). I'm a little surprised that they're networked since a lot of this kind of industrial automation tech was manufactured and installed before ubiquitous local networking command and control. However, given that they are running Windows and are networked, we shouldn't be surprised if they get infected. I guess the next question is: what could you do with a zombied parking ticket machine?

 

February 15, 2007

Mordaxus argues that we should stop using cutesy names for attacks on information systems:
This is the term that has set me off on the present rant. The person who just used it in a meeting I'm in said "pharming" and then screwed up his face when he perceived a blank look or three and said, "Well, pharming is a name for a number of attacks, which are all DNS spoofing attacks." I bit my tongue and did not say, "Then why didn't you say 'DNS attacks'?" and then sat down to this rant.

Pharming has both of the faults Orwell mentions. It's stale (being a back-formation from phishing) and imprecise. It's so imprecise that one can't imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.

I'm not fond of "phishing" or "pharming", but the ones that bug me are wardialing and friends. Wardialing is using an automatic dialer to scan for open modems. According to Wikipedia, the name comes from the use of the technique in the movie Wargames, so while it's a stupid name at least you can see where it came from. Then we got "wardriving", driving around looking for an open wireless access point, which is bad enough, but then (and I'm not making this up), warchalking, marking the area where there's an open AP. Is there any human who can the say the word "warchalking" unironically and not feel like a complete fool? And that's not all. There's also warbiking, warwalking, and warspying. I'd write more but it's late and time for me to do some warsleeping.

 

February 3, 2007

Julie Amero, a substitute teacher in Norwich CT, has been convicted of "four counts of risk of injury to a minor, or impairing the morals of a child" and faces up to 40 years in prison. The facts of the case seem to be this (this post has a bunch of useful links):
  • While teaching a class Ms. Amero's computer went into some pop-up loop showing a bunch of pornographic images, some of which were visible to students in her seventh-grade class.
  • Ms. Norwich didn't do the sensible thing and unplug her computer.
  • It's claimed did attempt to push one of the student's away from the monitor. Of course, this cuts both ways because it indicates that she knew the computer was showing inappropriate material.
  • The prosecution didn't scan her computer for malware. The defense claims that the computeras infested with pornographic malware. The school's anti-malware software was not up to date.
  • The prosecution claims that analysis of her computer indicates visits to pornographic web sites and that these must have been actually manually visited.

So, let's take a step back here. It seems to me that this set of facts is consistent with three theories from most to least innocuous.

Her machine was (innocuously) infected with malware and she froze.
This certainly is possible. It's certainly not hard to get your machine infected with malware and pornographic websites do try to trap you with popups so that you can't leave. Turning off your computer of course solves the problem, but it's easy to imagine someone computer illiterate, especially as Amero was reportedly told not to turn off her computer. Clearly, in retrospect this would have been pretty stupid, but then people in shock sometimes freeze.

The prosecution's argument against this theory appears to be that links to inappropriate websites were highlighted by the browser, presumably indicating that she had visited them. This could of course be a result of her doing so intentionally, but as far as I know browsers record visits, not mouse clicks, so if you really were infected with malware intended to redirect you to this kind of site it could create this kind of trail. There's also the possibility that someone else was using the computer and went to such sites.

She was visiting inappropriate web sites, got stuck in a popup loop, and then froze.
If you believe the previous theory, then certainly you ought to believe this one. It's possible to get infected during ordinary web sites, but it's even easier to get infected visiting porn sites which aren't notoriously safe. And when confronted with the frankly embarassing evidence of your malfeasance you would probably want to hide it by shutting off the computer, but again it's not crazy to believe that she would freeze.

She deliberately displayed porn to her class.
In this theory either her computer started to display porn for one of the previous two reasons and she decided to let it play it for her class or she intentionally put the computer in a state where it played porn for them. Obviously this is possible at some technical level, but it seems pretty implausible to me. Certainly teachers occasionally do inappropriate things (telling your students that if they don't accept Jesus they'll go to hell, for instance) but it's hard to understand what Amero's motivation for showing porn to her students in public would be. Even if we assume that for some unfathomable reason she wanted to "corrupt" them wouldn't it be smarter to do it in some setting where she was less likely to get caught, fired, and prosecuted? Absent some explanation (for instance that she's completely crazy) this strikes me as a fairly implausible explanation.

So, at the end of the day it seems to me that we have two plausible explanations: a completely innocent woman froze or someone who had been misusing school computers in a way that people misuse their employer's computers (I'm not making a moral judgement here, but most employers do prohibit use of their computers and network for viewing porn so this is technically misuse) every day got caught. In either case, it's pretty hard to see how this merits a 40 year prison sentence. I don't know of any evidence that this caused any of the children any long term harm, but even if it did, consider that in CT if you got in your car drunk and killed somebody, the sentence would be more like 10 years.