RISKS Forum mailing list archives
Risks Digest 28.31
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 24 Oct 2014 14:36:12 PDT
RISKS-LIST: Risks-Forum Digest Friday 24 October 2014 Volume 28 : Issue 31 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.31.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Audi Recalls 850,000 Cars Over Airbag Software Flaw (NYT via Monty Solomon) Feds examining medical devices for fatal cybersecurity flaws (David Kravets via Monty Solomon) NOAA is having major weather satellite data feed issues (danny burstein) Belkin routers around the globe unable to connect to the Internet (Myce) India probes identity card for monkey god Hanuman (BBC via Prashanth Mundkur) Machine Tasked with Getting Rid of Spam Could End Humanity (Elon Musk) The Exascale Revolution (Tiffany Trader) Dangers of an IT monoculture (Robert L Wears) IoT as a Hazard: Smart Meters prove vulnerable (Bob Gezelter) Hackers' Attack Cracked 10 Financial Firms in Major Assault (NYT) Cyberattack on JPMorgan Raises Alarms at White House and on Wall Street (NYT) The Unpatchable Malware That Infects USBs Is Now on the Loose (Andy Greenberg) ComputerCOP: dubious "Internet Safety Software" given to US families (Ars) iOS 8.1 plugs security hole that made it easy to install emulators (Kyle Orland) "Cisco, Oracle find dozens of their products affected by Shellshock" (Lucian Constantin) "Mayhem malware spreads through Linux servers via Shellshock exploits" (Lucian Constantin) Bug in Bash shell creates big security hole on anything with *nix in it (Brett Mahar) Samsung printer sniffers (David Lesher) Twitter Sues U.S. Government Over Data Disclosure Rules (Monty Solomon) Dozens of European ATMs rooted, allowing criminals to easily cash out (Robert Lemos) Using new Corvette's valet-recording tech could be a felony in some states (Megan Geuss) "The Dark Market for Personal Data" (Frank Pasquale) "Patent trolls have one fewer legal loophole to hide behind" (Simon Phipps via Gene Wirchenko) The "he said, she said" of how the FBI found Silk Road's servers (Ars) New York City orders Bluetooth beacons in pay phones to come down (Ars) Seeing where the last taxi passenger went (Jeremy Epstein) JPMorgan Discovers Further Cyber Security Issues (Monty Solomon) 7 million Dropbox username/password pairs apparently leaked (Ars) Russia's Sandworm Hack Spying on Foreign Governments for Years (WiReD) Google report on EU "right to be forgotten" requests (Lauren Weinstein) This POODLE bites: exploiting the SSL 3.0 fallback (Google) Re: Firedrive and Cloudflare (Jay Grizzard) Re: Firedrive has gone down taking millions of files with it (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 24 Oct 2014 06:30:53 -0400 From: Monty Solomon <monty () roscom com> Subject: Audi Recalls 850,000 Cars Over Airbag Software Flaw The recall of the 2013-15 A4 model includes about 102,000 cars in the United States, and the company said it had no reports of related accidents. http://www.nytimes.com/2014/10/24/business/audi-recalls-850000-cars-over-airbag-software-flaw.html ------------------------------ Date: Fri, 24 Oct 2014 01:16:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Feds examining medical devices for fatal cybersecurity flaws (David Kravets) David Kravets, Ars Technica, 23 Oct 2014, They could be controlled remotely, overdose patients, or thwart heart implants. http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/ ------------------------------ Date: Wed, 22 Oct 2014 22:41:42 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: NOAA is having major weather satellite data feed issues (I can't find a copy of their actual news release, so using this press story) "Since Tuesday night, NESDIS, NOAA's satellite and information service, has been experiencing network issues, and has not received a full feed of satellite data for input, a critical component for the numerical models used to forecast the weather" http://www.accuweather.com/en/weather-news/noaa-network-issue-may-impact/36161909 It took a *year* for them to fix the NOAA/AHR radio transmitter in NYC, and that only happened after a WSJ article... ------------------------------ Date: Tue, 7 Oct 2014 13:40:29 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Belkin routers around the globe unable to connect to the Internet (Myce) Myce via NNSquad http://www.myce.com/news/belkin-router-users-worldwide-unable-to-connect-to-the-internet-73019/ As a workaround, Belkin is suggesting that users change their routers' DNS settings to use Google DNS on 8.8.8.8 and 8.8.4.4: https://statuspage-production.s3.amazonaws.com/static/belkin.html (interesting URL) ------------------------------ Date: Thu, 23 Oct 2014 01:26:19 -0700 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: India probes identity card for monkey god Hanuman (BBC) BBC, 12 September 2014 http://www.bbc.com/news/world-asia-india-29175870 Authorities in India are investigating how Hanuman, the monkey god, has been issued a biometric identity card. [...] It emerged when a postman attempted to deliver the card, but could not find a Hanuman at the address. ------------------------------ Date: Fri, 10 Oct 2014 13:21:55 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Machine Tasked with Getting Rid of Spam Could End Humanity (Elon Musk) http://www.vanityfair.com/online/daily/2014/10/elon-musk-artificial-intelligence-fear ------------------------------ Date: Fri, 24 Oct 2014 12:11:58 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: The Exascale Revolution (Tiffany Trader) Tiffany Trader, The Exascale Revolution, HPC Wire, 23 Oct 2014 (via ACM TechNews, Friday, October 24, 2014) Experts are coming to a consensus that the shift from the petascale to the exascale supercomputing eras is going to be more challenging than many previously anticipated. At the recent Argonne National Laboratory Training Program in Extreme Scale Computing, Pete Beckman, director of Argonne's Exascale Technology and Computing Institute, highlighted some of the possible problems. One major concern is power and the costs associated with it. Although supercomputers have been getting more energy-efficient, Beckman uses the example of the most recent generations of IBM supercomputers to demonstrate a 5x trajectory of energy efficiency gains that would still have an exascale system requiring 64 megawatts of power, which could cost tens of millions of dollars a year. These cost concerns are prompting many countries to pursue exascale computing on an international scale, forming multinational partnerships to share the massive costs. The U.S. and Japan recently entered such an agreement, and Europe is looking to join them. However, China is proceeding on its own, largely on the strength of its own native technology. Beckman also addressed challenges relating to memory and resilience and the need to update software to be able to make use of exascale resources. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-cd87x2bdf9x068385& ------------------------------ Date: Fri, 24 Oct 2014 11:32:55 -0400 From: "Robert L Wears, MD, MS, PhD" <wears () ufl edu> Subject: Dangers of an IT monoculture A recent paper in a medical journal raises ()concerns about the emergence of an IH 'monoculture' in healthcare. But, the paper misses IMHO the most significant risk of a monoculture -- that it increases the magnitude of the inevitable failures. In agriculture and ecosystems, monocultures lead to the more rapid spread of pests and diseases, and are more vulnerable to catastrophic collapse, particularly when conditions change. In a heterogeneous population of EHRs, the occasional failure of any given system due to hidden bugs, vulnerabilities, hacking, or unexpected interactions with the conditions of use would create major problems for individual institutions or work systems (e.g., see RISKS-23.19, 23.81, 24.68, 25.45, 25.51, 26.25, 28.3) but its impact would be limited. However, if a large proportion of systems all contain the same vulnerability ... what could possibly go wrong? The original paper available at: http://jamia.bmj.com/content/early/2014/10/23/amiajnl-2014-003023.abstract Robert L Wears, University of Florida wears () ufl edu 1-904-244-4405 (ass't) Imperial College London r.wears () imperial ac uk +44 (0)791 015 2219 ------------------------------ Date: Fri, 17 Oct 2014 09:46:10 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: IoT as a Hazard (IaaH): Smart Meters prove vulnerable It should not be surprising. While the Internet of Things (IoT) has great promise, widely-deployed, connected devices are an attractive target for all kinds of mischief. SecurityAffairs reports that Javier Vazquez Vidal and Alberto Garcia Illera explored smart power meters used in Spain. They found that they could be hacked, and exploited in a number of ways (e.g., transferring usage, reporting false data). The lack of integrity in such devices also raises the possibility that large numbers of compromised devices could be used to present a false picture to utility operators, compromising the operation of the utility's production and transmission facilities. A profoundly disturbing picture. Meters and other devices also represent a potential privacy hazard to the individual. The full article can be found at: http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Sun, 5 Oct 2014 00:36:07 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers' Attack Cracked 10 Financial Firms in Major Assault (NYT) Matthew Goldstein, Nicole Perlroth and David E. Sanger, *The New York Times*, 3 Oct 2014 The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse. Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions - a number that has not been previously reported - were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said. ... http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/ Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, NYT, 2 Oct 2014 JPMorgan Chase Hacking Affects 76 Million Households Hackers' Attack Cracked 10 Financial Firms in Major Assault http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/ Ways to Protect Yourself After the JPMorgan Hacking Tara Siegel Bernard, *The New York Times*, 3 Oct 2014 http://www.nytimes.com/2014/10/04/your-money/jpmorgan-chase-hack-ways-to-protect-yourself.html ------------------------------ Date: Wed, 8 Oct 2014 19:55:48 -0400 From: Monty Solomon <monty () roscom com> Subject: Cyberattack on JPMorgan Raises Alarms at White House and on Wall Strete Other financial institutions -- Citigroup, E*Trade Financial and HSBC -- found that one of the same web addresses used to penetrate JPMorgan had tried to get into their systems. http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/ ------------------------------ Date: Sat, 4 Oct 2014 23:35:31 -0400 From: Monty Solomon <monty () roscom com> Subject: The Unpatchable Malware That Infects USBs Is Now on the Loose (Andy Greenberg) Andy Greenberg, *WiReD*, 2 Oct 2014 It's been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it's possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem-and the lack of any easy patch-Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl's fellow researchers aren't waiting any longer. In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable. ... http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/ ------------------------------ Date: Wed, 1 Oct 2014 08:32:48 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: ComputerCOP: dubious "Internet Safety Software" given to US families Ars via NNSquad http://arstechnica.com/tech-policy/2014/10/computercop-the-dubious-internet-safety-software-given-to-families-nationwide/ Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an "Internet Safety" outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency's official seal and the chief's portrait, with a signed message warning of the "dark and dangerous off-ramps" of the Internet. As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies using shady information. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting those keystoke logs over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against. Furthermore, by providing a free keylogging program--software that operates without even the most basic security safeguards--law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers. ------------------------------ Date: Thu, 9 Oct 2014 00:21:14 -0400 From: Monty Solomon <monty () roscom com> Subject: iOS 8.1 plugs security hole that made it easy to install emulators (Kyle Orland) Kyle Orland, Ars Technica, 8 Oct 2014 "Date trick" workaround allowed for unapproved apps without jailbreaking. http://arstechnica.com/gaming/2014/10/ios-8-1-plugs-security-hole-that-made-it-easy-to-install-emulators/ ------------------------------ Date: Thu, 02 Oct 2014 15:33:58 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Cisco, Oracle find dozens of their products affected by Shellshock" (Lucian Constantin) Lucian Constantin, Infoworld, 30 Sep 2014 Cisco, Oracle find dozens of their products affected by Shellshock Cisco has identified 71 products vulnerable to Shellshock and Oracle 51, but the number is likely to increase http://www.infoworld.com/article/2689356/security/cisco-oracle-find-dozens-of-their-products-affected-by-shellshock.html ------------------------------ Date: Tue, 14 Oct 2014 11:53:44 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Mayhem malware spreads through Linux servers via Shellshock exploits" (Lucian Constantin) Lucian Constantin, Infoworld, 10 Oct 2014 The botnet targets Web servers that haven't been patched for recent vulnerabilities found in the Bash Linux shell http://www.infoworld.com/article/2824494/security/mayhem-malware-spreads-through-linux-servers-via-shellshock-exploits.html ------------------------------ Date: Wed, 1 Oct 2014 13:37:03 +1000 From: Brett Mahar <brett () coiloptic org> Subject: Re: Bug in Bash shell creates big security hole on anything with *nix in it (Weinstein, RISKS-28.29) Not on OpenBSD, bash is not the shell, unless manually installed and configured to be. Also, all network facing services are installed in chroot by default, so even if bash was the made the default shell it would be inaccessible. ------------------------------ Date: Oct 3, 2014 6:10 PM From: David Lesher <wb8foz () panix com> Subject: Samsung printer sniffers (via Dave Farber) I was planning on spec'ing a quantity of Samsung printers for a client. We bought a sample. The Mac driver installed OK, but the Windows one had a very disturbing message during installation: Samsung was going to sniff the printer's output, to {of course} better serve the customer. [I paraphrase slightly....] Needless to say, I was far from pleased. I tried to disallow same during the installation, but got no confirmation that it happened. {I can guess Samsung does not sell many printers to either Ft. Meade or Langley.} I've tried to reach someone at Samsung's printer division but got nowhere; Support does not see it as their potato, and Sales's voicemail said they will call me Back Real Soon Now. ------------------------------ Date: Tue, 7 Oct 2014 18:12:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Twitter Sues U.S. Government Over Data Disclosure Rules The social media giant wants to loosen restrictions on what it is allowed to tell users about government information requests. http://bits.blogs.nytimes.com/2014/10/07/twitter-sues-u-s-government-over-data-disclosure-rules/ ------------------------------ Date: Wed, 8 Oct 2014 09:00:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Dozens of European ATMs rooted, allowing criminals to easily cash out (Robert Lemos) Robert Lemos, Ars Technica, 7 Oct 2014 Criminals with physical access to ATMs install malware to control flow of money. Criminals are installing fairly sophisticated malicious programs on banks' ATMs, allowing them to control access to the machines and easily steal cash, security firms Kaspersky and Interpol said in a joint statement released on Tuesday. ... http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-criminals-to-easily-cash-out/ ------------------------------ Date: Wed, 8 Oct 2014 09:08:15 -0400 From: Monty Solomon <monty () roscom com> Subject: Using new Corvette's valet-recording tech could be a felony in some states (Megan Geuss) Megan Geuss, Ars Technica, 26 Sep 2014 GM is sending updated software to make Valet Mode less legally questionable. http://arstechnica.com/tech-policy/2014/09/new-corvettes-valet-recording-tech-could-be-a-felony-in-12-states/ ------------------------------ Date: Thu, 16 Oct 2014 21:00:43 -0400 From: Marc Rotenberg <rotenberg () epic org> Subject: "The Dark Market for Personal Data" (Frank Pasquale) Frank Pasquale, *The New York Times* op-ed, 16 Oct 2014 http://www.nytimes.com/2014/10/17/opinion/the-dark-market-for-personal-data.html The reputation business is exploding. Having eroded privacy for decades, shady, poorly regulated data miners, brokers and resellers have now taken creepy classification to a whole new level. They have created lists of victims of sexual assault, and lists of people with sexually transmitted diseases. Lists of people who have Alzheimer's, dementia and AIDS. Lists of the impotent and the depressed. There are lists of impulse buyers. Lists of suckers: gullible consumers who have shown that they are susceptible to vulnerability-based marketing. And lists of those deemed commercially undesirable because they live in or near trailer parks or nursing homes. Not to mention lists of people who have been accused of wrongdoing, even if they were not charged or convicted. Typically sold at a few cents per name, the lists don't have to be particularly reliable to attract eager buyers -- mostly marketers, but also, increasingly, financial institutions vetting customers to guard against fraud, and employers screening potential hires. There are three problems with these lists. First, they are often inaccurate. For example, as The Washington Post reported, an Arkansas woman found her credit history and job prospects wrecked after she was mistakenly listed as a methamphetamine dealer. It took her years to clear her name and find a job. Second, even when the information is accurate, many of the lists have no business being in the hands of retailers, bosses or banks. Having a medical condition, or having been a victim of a crime, is simply not relevant to most employment or credit decisions. Third, people aren't told they are on these lists, so they have no opportunity to correct bad information. The Arkansas woman found out about the inaccurate report only when she was denied a job. She was one of the rare ones. [...] Frank Pasquale, a professor of law at the University of Maryland, is the author of the forthcoming book,T he Black Box Society: The Secret Algorithms That Control Money and Information. ------------------------------ Date: Fri, 17 Oct 2014 14:33:51 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Patent trolls have one fewer legal loophole to hide behind" (Simon Phipps) It is nice to see the patent trolls having risks. Simon Phipps, InfoWorld | 16 Oct 2014 With one subtle stroke, the Judicial Conference of the United States retires an old rule -- and denies patent trolls a major weapon http://www.infoworld.com/article/2834542/patents/rule-change-hits-trolls.html ------------------------------ Date: Fri, 3 Oct 2014 16:43:38 -0400 From: Monty Solomon <monty () roscom com> Subject: The "he said, she said" of how the FBI found Silk Road's servers http://arstechnica.com/tech-policy/2014/10/the-he-said-she-said-of-how-the-fbi-found-silk-roads-servers/ ------------------------------ Date: Tue, 7 Oct 2014 10:28:58 -0400 From: Monty Solomon <monty () roscom com> Subject: New York City orders Bluetooth beacons in pay phones to come down http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacons-in-pay-phones-to-come-down/ ------------------------------ Date: Sun, 12 Oct 2014 08:31:45 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Seeing where the last taxi passenger went On a recent ride from Washington Dulles airport (IAD) to my home in the Virginia suburbs, the cab had an Android tablet mounted to the back of the front-seat passenger seat, running an app that allowed you to see the weather, driver information, etc. But the most interesting thing was that it allowed you to enter your destination in Google Maps, which is useful for drivers who may not know the area and/or whose English isn't the best. A tool like this could be particularly useful if it allowed input in multiple languages -- i.e., allow a Japanese visitor to enter their destination in Japanese; similarly if such a thing were in a taxi in Japan, it would be useful to allow an English-speaking visitor to enter their destination in English. [Perhaps such things already exist; I haven't seen one.] However, the part that gave me slight pause was that in the destination field, I could see the most recent half dozen destinations that cab had gone, and there was no (obvious) way to clear destinations if I entered mine. At one level, this isn't a big deal -- if the cab had been on the street, then the most recent destination was presumably near where I got it. On the other hand, if the driver was being dispatched, the recent destinations might be places where the driver had recently picked up passengers, and hence likely empty homes. One could also hypothesize interesting things one might learn -- if one sees a politician getting out of a cab, one might be interested in where he/she was coming from - i.e., from a lobbyist's office or a secret lover's hideaway. But all this depends on getting just the right timing - finding the right person coming out of the cab, and getting in before another passenger. Overall, I think the risk is low, but it might be surprising to taxi customers that a future customer can find out where they went. ------------------------------ Date: Thu, 2 Oct 2014 17:07:10 -0400 From: Monty Solomon <monty () roscom com> Subject: JPMorgan Discovers Further Cyber Security Issues The nation's largest bank recently found that hackers had gained entry to some of its servers, say several people with knowledge of the investigation. http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/ ------------------------------ Date: Mon, 13 Oct 2014 21:20:31 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: 7 million Dropbox username/password pairs apparently leaked Ars via NNSquad http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/ "Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised. Reddit users who have tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset. The hackers claim that they will release more username/password pairs if they receive donations to their bitcoin address." It's like damned "Groundhog Day" ... LATER Update: Dropbox is saying that this is not a hack per se, but rather a cross-site shared password attack -- which of course can still cause a lot of problems if you share your passwords between services and don't have 2-factor authentication enabled. [NNSquad] ------------------------------ Date: Mon, 13 Oct 2014 21:27:35 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Russia's Sandworm Hack Spying on Foreign Governments for Years Wired via NNSquad http://www.wired.com/2014/10/russian-sandworm-hack-isight/ "A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks. The campaign, dubbed "Sandworm" is believed to have been running since 2009, and used a wide-reaching zero-day exploit uncovered by the researchers that affects nearly every version of the Windows operating system released since Windows Vista." [Also noted by Bob Gezelter] http://www.isightpartners.com/2014/10/cve-2014-4114/=0A=0A- Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Fri, 10 Oct 2014 11:46:52 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google report on EU "right to be forgotten" requests Google via NNSquad http://www.google.com/transparencyreport/removals/europeprivacy/ European privacy requests for search removals. // Total URLs that Google has evaluated for removal: 497,695 URLs // Total requests Google has received: 144,954 requests // 41.8% removal approval rate. ------------------------------ Date: Tue, 14 Oct 2014 17:58:06 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: This POODLE bites: exploiting the SSL 3.0 fallback Google via NNSquad http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html "Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers). SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue." [See also Kim Zetter, *WiReD*, 14 Oct 2014 <http://www.wired.com/2014/10/poodle-explained/> ] ------------------------------ Date: Fri, 24 Oct 2014 08:11:07 -0700 From: Jay Grizzard <elfchief () lupine org> Subject: Re: Firedrive and Cloudflare The recent firedrive.com outage has triggered several messages to RISKS that have pointed a finger at Cloudflare as a culpable party, because the IP address for firedrive.com matches IP addresses also owned by Cloudflare. While the latter is true (firedrive.com is in Cloudflare's IP space), this does not actually imply Cloudflare involvement, complacency, or responsibility. Cloudflare is a Content Distribution Network (CDN). Basically, this means that they host no data at all -- they sell distribution services, much the same way a phone company does (though a better analogue might be an answering service). Companies (like Firedrive) pay Cloudflare to proxy incoming traffic for them, and cache the parts of that data that can be cached, as a way to offload traffic from their own servers, and make their websites more responsive to their users. Blaming Cloudflare, in this case, is like blaming an answering service because your doctor's office isn't picking up their phone. No matter how much you beg, the answering service can't help you with that funny looking mole you just discovered -- all they can do is pass on your requests, and hope that your doctor responds. Cloudflare is just an intermediary here. The real risk (beyond the mis-attribution of problems) is the continued belief that "the cloud" is some kind of magic sauce that relieves you of responsibility for the safety of your data (i.e. keeping backups). Any given cloud provider is a place you can store data, but cloud providers can fail, just like physical media can. Storing your important data on a single cloud provider is akin to storing your important data on a single hard drive. You /probably/ won't have a failure that causes you to lose data, but cloud providers (like hard drives) are fallible, and I seriously doubt that this will be the last major failure of a cloud storage company. ------------------------------ Date: Fri, 24 Oct 2014 06:12:31 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Firedrive has gone down taking millions of files with it (Brady, RISKS-28.30) Two words: "Erasure Code": http://en.wikipedia.org/wiki/Erasure_code "In information theory, an erasure code is a forward error correction (FEC) code for the binary erasure channel, which transforms a message of k symbols into a longer message (code word) with n symbols such that the original message can be recovered from a subset of the n symbols" Aka RAIC -- Redundant Array of Independent Clouds ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.31 ************************
Current thread:
- Risks Digest 28.31 RISKS List Owner (Oct 24)