RISKS Forum mailing list archives
Risks Digest 29.44
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 5 Apr 2016 17:16:15 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 5 April 2016 Volume 29 : Issue 44 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.44.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Wrecking crew demolishes wrong house due to Google Maps error (Softpeedia) WhatsApp adopts default encryption *WiReD* With Hospital Ransomware Infections, the Patients Are at Risk (TechReview) Ransomware vs. US government agencies (Al Mac) US State Dept database vulnerabilities (Al Mac) Technology Upgrades Get White House Out of the 20th Century (NYTimes) Hayden on encryption v. metadata (Henry Baker) Panama Papers (Al Mac) Many law firms hacked (Al Mac) Risks of car manufacturers adding flash (Steve Loughran) Why I Don't Make Financial Decisions on My Smartphone? (NYTimes) Chris Drewe <e767pmk () yahoo co uk> Man gets free holidays and car rentals after changing surname to 'Null' (Caroline Mcguire via Chris Drewe) How one programmer broke the Internet by deleting a tiny piece of code (QZ) DoD Picks HackerOne to Operate Bug Bounty Pilot Program (HackerOne) Satellite Images Can Pinpoint Poverty Where Surveys Can't (NYTimes) "Node.js alert: Google engineer finds flaw in NPM scripts" (Fahmida Y. Rashid) Google April Fool's prank backfires -- possibly? (Peter Houppermans) April fools? (Martyn Thomas) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 01 Apr 2016 19:35:27 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Wrecking crew demolishes wrong house due to Google Maps error Company Demolishes Wrong Housing Duplex Following Google Maps Error Wrecking crew forgets to double-check location http://news.softpedia.com/news/company-demolishes-wrong-housing-duplex-after-google-maps-error-502188.shtml A wrecking company has demolished the wrong housing duplex after one of its employees was misled by a Google Maps error. In December 2015, the city of Rowlett, near Dallas, Texas, was hit by a tornado that destroyed or damaged multiple houses. Some of the unlucky homeowners who had their houses damaged beyond repair contacted demolition companies to have their house lots cleared in order to start rebuilding their new homes. One of the contacted companies was Billy L. Nabors Demolition, who was contracted to demolish the house at 7601 Cousteau Drive... Never, ever, hire a demolition company from another town... ------------------------------ Date: Tue, 5 Apr 2016 9:17:45 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: WhatsApp adopts default encryption *WiReD* http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/ ------------------------------ Date: Sun, 3 Apr 2016 02:12:22 -0400 From: Monty Solomon <monty () roscom com> Subject: With Hospital Ransomware Infections, the Patients Are at Risk Ransomware that locks up patient data in hospitals is disrupting medical care, and the problem is set to get worse. https://www.technologyreview.com/s/601143/with-hospital-ransomware-infections-the-patients-are-at-risk/ ------------------------------ Date: Mon, 4 Apr 2016 14:06:09 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Ransomware vs. US government agencies Some 29 federal agencies reported they were targeted with ransomware 321 times between June and early December 2015, according to a Department of Homeland Security response to an inquiry by Sen. Tom Carper. The Delaware Democrat, who serves as the ranking member of the US Senate Homeland Security and Governmental Affairs Committee, had requested information about the government's ransomware defenses as part of the panel's oversight of government IT security. <https://www.hsgac.senate.gov/download/dhs-responds-to-carper-inquiries-on-response-to-threat-of-ransomware> <http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=01C0457D-DF6D-47E1-9096-07413536C080> Assistant Attorney General Peter Kadzik, in the DOJ's response to Carper's inquiry, said the FBI's Internet Crime Complaint Center (IC3) received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million. In addition to federal agencies, state and local governments are also being targeted. The Multistate Information and Analysis Center told DHS that MS-ISAC's associated Computer Emergency Response Team identified and addressed 40 incidents related to ransomware-associated activity on state, local, tribal and territorial governments' systems. We do not know if recent occasional news stories about ransomware attacks on local institutions, are included in those statistics. http://www.govinfosecurity.com/ransomware-attacks-against-government-agencies-widespread-a-9005 To boost profits, operators of ransomware are hiring and funding their own development teams to fashion new variants of malware, according to Cisco's latest Midyear Security Report. <http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html> https://fcw.com/articles/2015/12/04/lyngaas-congressmen-ransomware.aspx Senator Carper's inquiry was sent December 2015. According to the DHS 7 page (50 k PDF) report: The Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has received reports of 337 ransomware-related incidents since June 2015. The NCCIC received these reports from federal government agencies, the private sector, international partners, and the general public. The DoJ report is 8 pages (5.8 meg), part of which is redacted in the general public edition. There is more info in these 2 reports, than the ransomware statistics I am citing. ------------------------------ Date: Sat, 2 Apr 2016 23:07:03 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: US State Dept database vulnerabilities The US State Dept has a system, for tracking people who wish to travel to and from the USA, which has been found to have vulnerabilities exposing a billion people to hackers, and alter applications of potential visitors to the USA, potentially opening the border to terrorists. In 2015 alone, the State Department denied more than 2,200 applications from people with a *suspected connection to terrorism,* a senior homeland security official told lawmakers last month. It is the Consular Consolidated Database (CCD). It holds current and archived visa records and data, including names, photos, addresses, biometric data and identification numbers from the Bureau of Consular Affairs (BCA) and is key to processing passport applications for visa applicants and travelers. Visit search engines looking for info on this, and we find this is not the first instance of cybersecurity problems with the CCD. http://abcnews.go.com/US/exclusive-security-gaps-found-massive-visa-database/story?id=38041051 http://thehill.com/policy/cybersecurity/274819-security-holes-found-in-state-department-visa-database-report http://fortune.com/2016/04/02/data-sheet-saturday-april-2-2016/ https://fcw.com/articles/2016/04/01/visa-state-vulnerable.aspx http://cio.economictimes.indiatimes.com/news/digital-security/security-vulnerabilities-found-in-us-visa-database-report/51657905 https://travel.state.gov/content/visas/en/law-and-policy/bulletin.html ------------------------------ Date: Mon, 4 Apr 2016 12:28:47 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Technology Upgrades Get White House Out of the 20th Century As President Obama prepares to leave the White House, one of his legacies will be the office information technology upgrade that his staff has finally begun. http://www.nytimes.com/2016/04/04/us/politics/technology-upgrades-get-white-house-out-of-the-20th-century.html Risks? Distributed/conflicting technology teams/ agendas/ authorities/ abilities, plus a nice dose of politics and national security. Stir vigorously until catastrophe ensues. ------------------------------ Date: March 23, 2016 at 8:11:11 PM EDT From: Henry Baker <hbaker1 () pipeline com> Subject: Hayden on encryption v. metadata [Also in Cryptography] https://www.lawfareblog.com/lawfare-podcast-general-michael-hayden-discusses-american-intelligence-age-terror Highly recommended, *especially* if you disagree with Hayden. Basically, Hayden is ok with just about anything -- including torture -- so long as it is approved by someone higher up. Methinks he might not fare so well in a Nuremberg-type trial, but perhaps those ethics are sooo last century. However, Hayden does think that the FBI is p*ss*ng into the wind on encryption, because any restrictions on encryption will drive technology overseas & weaken the U.S. tech economy. Hayden is basically agreeing with the statement "we kill people based on metadata", so you'd better believe that social graphs, GPS coordinate positions, etc., are being hoovered up, big time. Perhaps the FBI will be forced to de-parallel-construct their DRT-bag data for the U.S. courts, but I suspect that NSA has no such scruples. There was an unclassified program by a small midwest company a couple of years ago that did 2 things: collected huge amounts of continuous hires video surveillance imagery and built a time-line database. Subsequently, an inquiry about the position of a car a 2:17pm at such-and-such a location could be run *backwards* in time to see where the car came from. Although this data was used to catch a few very surprised criminals who found the police patiently waiting for them at their homes, it was either deemed too creepy (hard to believe!) or too expensive to continue. However, I think the real reason why this surveillance technique was dropped (from public discussion, anyway) is that exactly the same database technology is *already* in use to track cellphones backwards in time. This can be done with cheap, ubiquitous NSA junior-varsity-type technology -- collect cellphone signals, wifi signals, Bluetooth signals. Thus, if person X is noticed at location Y at time T, then the database can track person X backwards over the past hours, days, months to see if person X ever came close to person Y. If this happens in some locations on the globe, and if person Y is considered a "bad guy/gal", then person X is now considered to be a "bad guy/gal". Hayden may not even know person X's name or gender, but the U.S. might still target person X for killing simply on the basis of this metadata. Hayden seems completely ok with this sort of thinking, but then he has lime on his cleats (his too cute football analogy re coming too close to getting out of bounds). So while the encryption fight is going on, a far more insidious type of surveillance is taking place, but without being discussed or approved by anyone in Congress or the courts. I believe that this type of system is what Hayden is referring to when he says that -- far from "going dark" -- this is currently the "golden age" of surveillance. ------------------------------ Date: Mon, 4 Apr 2016 20:14:40 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Panama Papers 11.5 million documents leaked, estimated to contain about 2.6 terabytes of data. They were at a law firm in Panama. Contents cover off-shore accounts, and financial activities which may be illegal for some of the participants, depending on their home nations, where the money went, and if proper tax reporting was done. Many allegations, in the papers, need confirmation. The named individuals are denying this info. The law firm says they are a victim, in this leak. https://www.reddit.com/live/wp1fvdxxwb45/ https://panamapapers.icij.org/graphs/ http://www.usatoday.com/story/tech/news/2016/04/04/stealing-115-million-documents-panama-papers-snowden-sony-hack-leak/82613940/ http://www.reuters.com/article/us-panama-tax-idUSKCN0X10C2 ------------------------------ Date: Tue, 5 Apr 2016 14:37:31 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Many law firms hacked 50 plus law firms got hacked, including the most prestigious, of several nations. The good news is that many law firms are waking up to their fiduciary cyber security responsibilities, much more rapidly than we have seen for other industries.. Firms are also signing up to join the information-sharing group about cyberthreats formed by Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/ http://abovethelaw.com/2016/03/beware-of-big-hacking-in-biglaw/ See page 2 of above link, for where I got this list of 47 of the law firms involved. This list was compiled by Flashpoint (via Crain's Chicago Business). <http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1> Akin Gump Strauss Hauer & Feld Allen & Overy Baker & Hostetler Baker Botts Cadwalader Wickersham & Taft Cleary Gottlieb Steen & Hamilton Covington & Burling Cravath Swaine & Moore Davis Polk & Wardwell Debevoise & Plimpton Dechert DLA Piper Ellenoff Grossman & Schole Freshfields Bruckhaus Deringer Fried Frank Harris Shriver & Jacobson Gibson Dunn & Crutcher Goodwin Procter Hogan Lovells Hughes Hubbard & Reed Jenner & Block Jones Day Kaye Scholer Kirkland & Ellis Kramer Levin Naftalis & Frankel Latham & Watkins McDermott Will & Emery Milbank Tweed Hadley & McCloy Morgan Lewis & Bockius Morrison & Foerster Nixon Peabody Paul Hastings Paul Weiss Rifkind Wharton & Garrison Pillsbury Winthrop Shaw Pittman Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward & Kissel Shearman & Sterling Sidley Austin Simpson Thacher & Bartlett Skadden Arps Slate Meagher & Flom Sullivan & Cromwell Vinson & Elkins Wachtell Lipton Rosen & Katz Weil Gotshal & Manges White & Case Wilkie Farr & Gallagher Apparently some crooks were seeking info on mergers & acquisitions, for the purpose of insider trading. Law firms have also been victimized by ransomware. Law firms have also been recipients of the CEO scam [browse on "Fake President Scam"], where a junior executive is ordered by the higher one to transmit some money some place, and keep this confidential, when the order is really coming from someone faking out the senior executive. If all their security rules, and normal e-mail traffic, are on the computer network, and the computer network is hacked, then this kind of scam is easy to perpetrate. A problem common to many companies, including law firms, is that senior leaders of the companies are free to disregard security rules which apply to lower level employees, but they are above the company laws & regulations. If they had proper security audits, this would be revealed, and if the law required that they show the results of audits to their clients, then such behavior would cease, and the whole industry would become more secure. http://www.lawgazette.co.uk/practice/ma-hack-attack-on-48-elite-law-firms/5054524.article http://www.americanlawyer.com/id=1202753706763/Cravath-Admits-Breach-as-Law-Firm-Hacks-Go-Public-?slreturn=20160305150736 http://www.bbc.com/news/technology-35933246 A common claim by hacked outfits, is that no data was taken, and we always wonder how they know this. Breach laws only require that non-government organizations truthfully report when the data taken is PII of humans. There are many forms of breaches, for which the breached institution has no legal obligation to report the event to anyone, and many reasons to cover it up, so as not to have their reputation impaired. Government organizations are generally required to report breaches to whatever government agency tracks security problems, and tries to manage their mitigation. Most of this never gets to the general public beyond some statistics. Due Diligence when we contract with some place for business, includes finding out if they have good security. But just as good security requires layered protection, cover-ups also involve layers, so potential customers, of outfits which are good at cover-ups, will probably never learn about security breaches there. Who financed the implementation of IT security, at the hacked law firms? In the business world there are many professions. We trust lawyers to know the law. We trust accountants to balance the books. We trust IT security professionals to know what is needed, and to do the job right, provided they get the resources they need to implement good security. We do not trust people to perform jobs for which they have not had the proper training. We do not trust people, who do not have training, to know what they are missing out, by not having the training. Unfortunately, many business leaders lack the understanding I have stated above. ------------------------------ Date: Mon, 4 Apr 2016 18:20:01 +0100 From: Steve Loughran <steve.loughran () gmail com> Subject: Risks of car manufacturers adding flash For people wondering how secure their newly purchased car is, why not take a look at the manual on the "media centre", a manual which is now bigger than one on "driving your vehicle safely to your chosen destination" I was certainly surprised to see a section on how to disable flash in the manual of a 2012 car we had just purchased second-hand. https://www.flickr.com/photos/steve_l/25625279674/in/album-72157623050830883/ I've been trying very had to have a vaguely secure house, with "removing flash off all devices" being one of the tasks undertaking. The fact that it's being built into vehicle entertainment systems means I appear to be fighting a losing battle. An emergency check of the vehicle showed me that, fortunately, the previous owner had not opted for the "web browser" feature when buying their vehicle. As well as keeping flash out the vehicle, it meant their web browsing history and cookies were not available to me. The fact that car manufacturers are putting software with such an awful track record of security into the firmware of their systems is not a good sign for future vehicle security ------------------------------ Date: Sun, 3 Apr 2016 11:44:20 -0400 From: Monty Solomon <monty () roscom com> Subject: Why I Don't Make Financial Decisions on My Smartphone? http://www.nytimes.com/2016/03/27/your-money/why-i-dont-make-financial-decisions-on-my-smartphone.html ------------------------------ Date: Tue, 29 Mar 2016 22:40:19 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Man gets free holidays and car rentals after changing surname to 'Null' (Caroline Mcguire) Just spotted this on a newspaper web site -- don't know if it's for real (but it's not April 1st yet!): Caroline Mcguire for MailOnline <http://www.dailymail.co.uk/travel/travel_news/article-3513652/The-cleverest-time-Man-gets-free-holidays-car-rentals-changing-surname-Null.html> People will go to extreme lengths to bag themselves a freebie these days, but one American has come up with the ultimate bag to get free holidays - a name change. The man claims to have been given seven free nights at seven different hotels and free-of-charge car rental after changing his surname to 'Null'. Raven Felix Null, 24, from the United States, says he changed his surname after becoming an adult and claims the word 'Null' is incompatible with a lot of computer programming, leading to many systems not recognising him as a person. ------------------------------ Date: Sat, 2 Apr 2016 21:17:42 -0400 From: Monty Solomon <monty () roscom com> Subject: How one programmer broke the Internet by deleting a tiny piece of code http://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ ------------------------------ Date: Sat, 2 Apr 2016 10:52:20 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: DoD Picks HackerOne to Operate Bug Bounty Pilot Program Washington, DC -- In a first-of-its-kind program for the federal government, the *Department of Defense* has selected San Francisco-based *HackerOne* to operate its "Hack the Pentagon" bug bounty pilot, aimed at bolstering the department's cybersecurity. Under the program, the company will invite qualified hackers to participate in a 20-day bug bounty pilot beginning April 18. The goal will be to find and report security vulnerabilities within DoD websites so they can be safely resolved. Individual bounty payments will depend on a number of factors, but will come from the $150,000 in funding for the program. "This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said Defense Secretary *Ashton Carter.* "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot." A registration site is now live and can be accessed at the top link below. https://hackerone.com/hackthepentagon ------------------------------ Date: Sun, 3 Apr 2016 12:47:29 -0400 From: Monty Solomon <monty () roscom com> Subject: Satellite Images Can Pinpoint Poverty Where Surveys Can't http://www.nytimes.com/2016/04/03/upshot/satellite-images-can-pinpoint-poverty-where-surveys-cant.html Information that can be gathered from novel sources, using algorithms, can help determine the best places to spend limited resources. ------------------------------ Date: Fri, 01 Apr 2016 10:06:11 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Node.js alert: Google engineer finds flaw in NPM scripts" (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld, 28 Mar 2016 Node.js developers, run NPM install at your own risk -- a self-replicating worm can easily spread through the ecosystem http://www.infoworld.com/article/3048526/security/nodejs-alert-google-engineer-finds-flaw-in-npm-scripts.html ------------------------------ Date: Fri, 1 Apr 2016 12:53:58 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Google April Fool's prank backfires -- possibly? The Net appears awash with reports about a Google Mail prank that backfired: http://techcrunch.com/2016/04/01/google-reverses-gmail-april-1-prank-after-users-mistakently-put-gifs-into-important-emails/ It appears Google took it upon itself to replace various buttons in their user interface with some that added information to email. I am aware that it's April 1st so even the news stories could be pranks themselves. ------------------------------ Date: Fri, 1 Apr 2016 11:35:25 +0100 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: April fools? With apologies to Arthur C Clarke: "any description of sufficiently advanced technology is indistinguishable from an April Fool." [Note: The Silver Swan, 1611 madrigal by Orlando Gibbons, words allegedly by Sir Christopher Hatton, the last line of which is More Geese than Swans now live, more Fools than Wise ... PGN] ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.44 ************************
Current thread:
- Risks Digest 29.44 RISKS List Owner (Apr 05)