http://feeds.voices.washingtonpost.com/click.phdo?i=241a90d858a225bf7da821e1ab1a51c8

http://voices.washingtonpost.com/securityfix/2009/12/who_says_pay-per-click_revenue.html

http://feeds.voices.washingtonpost.com/click.phdo?i=437cc8dc004911dc8503fc32803f5c76

http://voices.washingtonpost.com/securityfix/2009/12/cdc_swine_flu_vaccine_scam.html

http://www.tsa.gov/blog/2009/12/what-was-she-thinking-true-thanksgiving.html

http://www.schneier.com/blog/archives/2009/12/fingerprinting_3.html

This research centers on looking at the radio characteristics of individual RFID chips and creating a "fingerprint." It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II. But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance tool. Even if the communications is fully encrypted, this technology could be used to uniquely identify the chip.

http://www.homestarrunnerstore.com/20hoca.html

http://www.snopes.com/fraud/phishing/cdcvaccination.asp

http://thedailywtf.com/Articles/Special-Delivery.aspx

Brad’s phone rang with the telltale tone of an inner-office call. “Yeah,” he briskly blurted out as he picked up the phone, “what’cha ya need?” That was actually his nicewayof answering the phone. As the senior trader at Æxecor, one of the world’s largest energy trading companies, Brad didn’t need to impress anyone and, in his mind, displaying anything less than vicious hubris would be a sign of weakness.

“Err,” the receptionist nervously answers, “there’s a… err, delivery for you, sir. They—”

“Hmphf,” Brad’s scoff cut her off. “So just sign for it, then! Is that really that hard to do? You can do that, can’t you?”

“Well sir,” the receptionist winced, “they’re asking for mooring instructions? And we need to pay wharfage charges? They said you’d know. I’m at a loss.”

“Fine,” Brad scowled, “I guess I have to do everything around here!” He slammed down the phone and marched out of his corner office. Despite Æxecor’s location – the “old docks” district – their office was one of the most posh in the city. On one end of the expansive, former warehouse sat the executive suites, which had a tremendous view of the city skyline. The other end – where Brad was headed towards – was the reception which overlooked its own, private bay on the river.

“Okay, I’m here!” he angrily announced once he stepped foot in the lobby. “So let’s do this! What do I need to—”

Brad stopped mid-sentence. His eyes were immediately drawn through the floor-to-ceiling windows and onto the river bay that Æxecor’s building overlooked. There was an absolutely gigantic barge – nay, an armada of tightly-connected barges – overfilled with enormous piles of coal that was attempting to dock in front of the building. “What… the… fuuu—”

“You mus’ be Brad,” a cheerful voice jumped in. Brad’s eye’s shifted towards the scruffy fellow wearing some sort of workman’s uniform who was sitting in one of the reception chairs. “Now first and foremost, how in the Sam Hill are we ‘sposed to moor this boat? I count two cleats, but we sure as heck can’t hitch these. And, shoot, do you even have a bulk berth?”

For once, Brad was speechless. He had absolutely no idea who that man was and he could hardly understand a word he said. Plus, there was that gargantuan vessel that was slowly moving towards the building. “Uhh,” he stuttered, “wait. Are you delivering… coal? To… uhh, us?”

“Well, yeah! Twenty-eight thousand tons of the good ol’ black gold!” The workman sarcastically furrowed his brow adding, “I mean, we did get the right address, har har. This is Æxecor? And this is Pier 53? And you are Brad, the fella who ordered it, right?”

It was that moment that Brad’s palm almost immediately made contact with his forehead. He realized that something must have really gone awry: instead of virtually trading 28,000 tons of coal, Brad had somehow ended up with 28,000 tons of real coal.

Commodity Futures Trading 101

If you’ve ever watched Trading Places, the 1983 classic starring Eddie Murphy and Dan Aykroyd, then you’re probably at least familiar with commodities markets. At a basic level, commodities such as gold, wool, and soy beans are sold by producers and, eventually, delivered to buyers. But Billy Ray Valentine didn’t strike it rich and bankrupt the Duke Brothers by hauling around Frozen Concentrated Orange Juice (FCOJ); instead, they worked the commodities market by buying and selling FCOJ futures contracts. Actually, that’s really the only way to trade in commodities.

A futures contract is pretty straight forward: you agree to buy X units of commodity Y at $N per unit at some fixed future date. While it might seem a bit strange for an individual to agree to buy twenty tons of pork bellies in April for $34,420 (even if he really loves bacon), the idea is to sell the to-be-delivered pork bellies long before April, and to sell them for more than $34,420. Just about every conceivable commodity is bought and sold in this manner long before the commodity is even produced. The whole point of all this trading is to shift the risk (and rewards) of fluctuating commodity prices from the producers (farmers, miners, etc) to the traders.

Of course, because commodity traders don’t actually want to be stuck with tons and tons of pork bellies, a whole series of middlemen — from the brokers to the exchanges to the clearing houses — work hard to ensure that, when you say "I’ll buy 300 tons of pork bellies for $518,000 in May," you don’t actually buy 300 tons of pork bellies for $518,000 in May.

Brokers, for example, will set up round-turn trades so that, for each futures contract purchased, an offsetting contract can be sold to whoever actually wants to buy the goods. The exchange’s automated trading systems have all sorts of rules-engines to make sure that obvious errors (like delivering truckloads of commodities to a commercial office park) don’t slip through. And finally, processors at the clearing house will double-check transactions to make sure they weren’t sent over in error.

All that said, it’s almost impossible for traders to actually buy the commodities they are buying. Well, almost impossible.

A Perfect Storm

Æxecor traded coal on only one exchange (the WTFSE), and they didn’t trade coal very often. As such, when WTFSE upgraded its public-facing, WebService-based API, Æxecor’s internal trading system could no longer communicate with it. With a couple pending coal trades, this presented a bit of a problem.

Fortunately, Æxecor had a staff of crack programmers, and they were able to hack together a solution that worked with the WTFSE’s new API. Essentially, the coder added a bit of XML to their trading requests, including this following snippet.

<AdditionalProperties>
   <PhysicallyDeliver>
      <value>False</value>
   </PhysicallyDeliver>
</AdditionalProperties>

Notice anything off about that XML? If you said, “value should be 0 instead of False”, then give yourself a pat on the back. As it turned out, WTFSE only recognized 1’s and 0’s to represent True and False and, if the value was nether 1 nor 0, it simply defaulted to 1. Whoops!

Now, this normally wouldn’t have been that big of a deal; to ensure accurate transactions, the WTFSE (and just about all other exchanges) sends back a trade confirmation with all of the original information encoded in their XML. That way, both parties have to understand each other’s data. On Æxecor's end, everything looked hunky dory, especially as a result of the following line of code.

bool physicallyDeliver = 
    (getNodeVal("PhysicallyDeliver").toLower() == "true");

Kudos to the developer for verifying the correct case... but, a string can be infinitely more things than simply "true" or "false". Such as "1" or "0". Whoops.

Even a mistakenly confirmed incorrect trade shouldn’t have been that big of a deal, since the clearing house would notice some pretty big problems with the trade. You can’t just call up FedEx and request delivery of thousands upon thousands of tons of raw material to some office complex downtown. Commodities can only be delivered to a fixed number of delivery points, such as warehouses adjacent to train yards or ports. Of course, since Æxecor’s offices were in located on Pier 53, a recently redeveloped warehouse district off the river, it would have seemed like the logical place to accept delivery of a whole bunch of coal, especially to a rules engine. Whoops.

Fortunately, the commodity futures trading market doesn’t rely entirely on software. There are back-office personnel on both sides of the transaction (and several places in the middle) to make sure that a trader doesn’t do something silly like accidently click the “physically deliver” checkbox, enter into round-turn trades that creates an instant net loss, and so on.

So with everyone looking over transactions, you’d think that someone along the way would have noticed that trading giant Æxecor asked for physical delivery of a million-and-a-half dollars worth of coal. Actually, someone probably did, but because the trade came from Brad, there was just no way it could be made in err.

As the senior trader at Æxecor, Brad made it very clear that no one — “not even His Holiness, the Pope” — shall question his trades. After all, Brad makes complex trading decisions that no one else could possibly comprehend. Sometimes he buys high and sells low. Sometimes he holds in a decline. Sometimes he refuses to sell at any price. Brad works in mysterious ways, and if he said “do it”, then it better get done.

An Early Christmas

“Now don’t go telling me that this coal ain’t yours,” the workman said defensively, sensing something was awry. “I mean, if you don’t want it, that’s your business. But this here is your coal, mister Brad.”

As much as Brad wanted to deny it, he knew it was his. And not only that, but he had haughtily confirmed, re-confirmed, and re-re-confirmed with Æxecor’s own back-office processing team. He had just assumed, like he always did, that the mouth-breathing paper-pushers couldn’t read English. As he played back the last thing he told one of the processors about the coal order – “what part of ‘execute my f*ing trade’ don’t you understand!?” – he wondered what he could possibly do with 56,000,000 pounds of real coal.

Try to imagine for a moment how you would unload a mountain of coal worth million-and-a-half dollars. Craigslist does have its limits, after all.

As it turned out, it was more difficult than Brad could have ever imagined to sell real coal. The commodities market really only deals in futures, and everyone who actually needs 28,000 tons of coal has bought it long in advance. And besides, who wants to buy coal from some guy named Brad? Eventually, after paying exorbitant wharfing, shipping, environmental, docking, unloading, loading, and multiple-fee fees, Brad was finally able to unload it for twenty cents on the dollar.

Ever since “The Big Purchase”, Brad has never been able to live down his mountain of coal. Every time he passed others in the hallway, he knew that they knew about the coal, and they knew that he knew that they knew. No one really poked fun or laughed at him, but it didn’t matter. Brad was no longer thought of the senior trader at Æxecor; instead, he was the guy who accidently bought all that coal.

http://www.schneier.com/blog/archives/2009/12/cyberwarfare_po.html

National Journal has an excellent article on cyberwar policy. I agree with the author's comments on The Atlantic blog:

Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.

To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.

Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."

[...]

According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.

The military ran into this same dilemma four years later, during preparations to invade Iraq in 2003. Planners considered whether to launch a massive attack on the Iraqi financial system in advance of the conventional strike. But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies. Some planners also worried that the contagion could spread to the United States. It could have been the cyber equivalent of nuclear fallout.

A 240-page Rand study by Martin Libicki -- "Cyberdefense and Cyberwar" -- came to the same conclusion:

Predicting what an attack can do requires knowing how the system and its operators will respond to signs of dysfunction and knowing the behavior of processes and systems associated with the system being attacked. Even then, cyberwar operations neither directly harm individuals nor destroy equipment (albeit with some exceptions). At best, these operations can confuse and frustrate operators of military systems, and then only temporarily. Thus, cyberwar can only be a support function for other elements of warfare, for instance, in disarming the enemy.

Commenting on the Rand report:

The report backs its findings by measuring probable outcomes to cyberattacks and determining that the results are too scattered to carry out accurate predictions. This is coupled with the problem of countering an attack. It is difficult to determine who conducted a specific cyberattack so any counter strikes or retaliations could backfire. Rather than going on the offensive, the United States should pursue diplomacy and attempt to find and prosecute the cybercriminals involved in an initial strike.

Libicki said that the military can attempt a cyberattack for a specific combat operation, but it would be a guessing game when trying to gauge the operation's success since any result from the cyberattack would be unclear.

Instead the Rand report suggests the government invest in bolstering military networks, which as we know, have the same vulnerabilities as civilian networks.

I wrote about cyberwar back in 2005.

http://www.snopes.com/politics/business/captrade.asp

http://feeds.voices.washingtonpost.com/click.phdo?i=e8a5272e717f7e8e68cbaf072c7962de

http://voices.washingtonpost.com/securityfix/2009/11/bogus_dhl_e-mails_harbor_secre.html

http://feeds.voices.washingtonpost.com/click.phdo?i=ad560ca467d577c632c51e4e2bbd132e

http://voices.washingtonpost.com/securityfix/2009/11/hackers_hit_wash_dc_firm_for_1.html

http://thedailywtf.com/Articles/Pretty-Basic-Validation.aspx

"For reasons beyond my comprehension," Kristof writes, "one of my coworkers has managed to keep his job after more than eighteen months of messing about. His latest project was to build an import feature in the admin module of our web application. The idea behind the feature was that the administrators could upload a tab-delimited text file containing a list of products, and the application would insert or update the products in the database."

"Of course, the import feature required some pretty basic validation," Kristof continued. "Is it actually a text file? Is it tab delimited? Are the columns correct? And so on."

"To solve this, my colleague figured the best way was to verify that the uploaded file's name had the correct extension of .txt. It's a decent first step that one would normally code as follows."

if (System.IO.Path.GetExtension(fileName).ToLower() == "txt")
{
    // The extension is OK. Proceed with the rest of the validation
}
else
{
    // Incorrect extension. Show error message.
}

"My colleague, on the other hand, came up with this."

string InvalidExtensions = ".exe;.dll;.com;.bat;.ini;.sys;.aspx;"
   + ".asp;.php;.htw;.ida;.idq;.asp;.cer;.cdx;.asa;.htr;.idc;.shtm;"
   + ".shtml;.stm;.printer;.asax;.ascx;.ashx;.asmx;.aspx;.axd;.rem;"
   + ".soap;.config;.cs;.csproj;.vb;.vbproj;.webinfo;.licx;.resx;"
   + ".resources;.vsdisco;";

if (!InvalidExtensions.Contains(fileName.ToString().Substring(fileName.ToString().LastIndexOf("."))))
{
    // The extension is OK. Proceed with the rest of the validation
}
else
{
    // Incorrect extension. Show error message.
}

"That's right," Kristof wrote. "He put a very limited list of invalid extensions in a string, and then made sure that the extension of the uploaded file was not in that list."

He added, "when I asked my colleague what would happen if someone uploaded a .doc file or a .pdf file, he replied 'Oh yeah, you're right... I should add those to the list as well!' I was stupefied."

http://www.schneier.com/blog/archives/2009/11/the_psychology_4.html

This is a very interesting paper: Understanding scam victims: seven principles for systems security, by Frank Stajano and Paul Wilson. Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There's no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at the Computer Laboratory of the University of Cambridge.

The paper describes a dozen different con scenarios -- entertaining in itself -- and then lists and explains six general psychological principles that con artists use:

1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won't notice.

2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this "suspension of suspiciousness" to make you do what they want.

3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they're all conspiring against you.

4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you've been had.

5. The deception principle. Thing and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.

6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.

It all makes for very good reading.

Two previous posts on the psychology of conning and being conned.

http://feeds.voices.washingtonpost.com/click.phdo?i=58f36060c3706b5e8258e643866ca3e3

http://voices.washingtonpost.com/securityfix/2009/11/eight_tips_for_safe_online_sho.html

http://www.rootkit.com/blog.php?newsid=983

http://www.snopes.com/photos/animals/luckycoyote.asp

http://windowsir.blogspot.com/2009/11/incident-preparation.html