RISKS Forum mailing list archives
Risks Digest 29.46
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 14 Apr 2016 11:10:48 PDT
RISKS-LIST: Risks-Forum Digest Thursday 14 April 2016 Volume 29 : Issue 46 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.46.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: President Obama's Commission on Enhancing National Cybersecurity (Michael Daniel Ed Felten and Tony Scott) Burr-Feinstein bill draft (PGN) Senate Cybersecurity panel unveils long-awaited encryption bill (The Hill) Feds say they hired a hardware hacker to crack the San Bernardino phone (WashPo) Online election hacking (BBW) Failure in bank security (Corwyn) Re: Japanese computer system problems left many flight passengers stranded (Alister Macintyre) Re: The Panama Papers and Barbara Streisand (Michael Bacon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 14 Apr 2016 10:19:25 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: President Obama's Commission on Enhancing National Cybersecurity https://www.whitehouse.gov/blog/2016/04/13/announcing-presidents-commission-enhancing-national-cybersecurity Michael Daniel, Ed Felten, and Tony Scott, 13 Apr 2016 In February, the President announced a Cybersecurity National Action Plan (CNAP) to take a series of short-term and long-term actions to improve our nation's cybersecurity posture. A central feature of that plan is the non-partisan Commission on Enhancing National Cybersecurity, comprised of leading thinkers from business, technology, and academia and charged with making recommendations to the nation for actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sector. Today, we are pleased to announce that the President and the bipartisan Congressional leadership have selected the 12 individuals to serve on the Commission. They are: * Tom Donilon, former Assistant to the President and National Security Advisor (Chair) * Sam Palmisano, former CEO of IBM (Vice Chair) * General Keith Alexander, CEO of IronNet Cybersecurity, former Director of the National Security Agency and former Commander of U.S. Cyber Command * Annie Anton, Professor and Chair of the School of Interactive Computing at Georgia Tech. * Ajay Banga, President and CEO of MasterCard * Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike * Patrick Gallagher, Chancellor of the University of Pittsburgh and former Director of the National Institute of Standards and Technology * Peter Lee, Corporate Vice President, Microsoft Research * Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the Stanford Center for International Security and Cooperation and Research Fellow at the Hoover Institution * Heather Murren, former member of the Financial Crisis Inquiry Commission and co-founder of the Nevada Cancer Institute * Joe Sullivan, Chief Security Officer of Uber and former Chief Security Officer of Facebook * Maggie Wilderotter, Executive Chairman of Frontier Communications These 12 individuals will be charged with recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today's digital world, and reporting back by the beginning of December. They will hold their first public meeting tomorrow at the U.S. Department of Commerce, where they will be joined by Secretary of Commerce Penny Pritzker, Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, and others to discuss the critical work that lies ahead for the Commission.
From the beginning of his Administration, the President has made it clear
that cybersecurity is one of the most important challenges we face as a Nation. For more than seven years, we have acted comprehensively to make progress towards three goals: * Raise the level of cybersecurity in both the public and private sectors. * Deter, disrupt, and interfere with malicious cyber activity aimed at the U.S. or its allies. * Respond effectively to and recover from cyber incidents. Recent accomplishments in pursuit of these goals include the Cyber Threat Intelligence Integration Center (CTIIC) attaining initial operating capability; reaching an unprecedented set of commitments with China's President on cybersecurity; deploying strong authentication for 81 percent of accounts on federal systems; and implementing the Cybersecurity Act of 2015 to enhance cybersecurity information sharing and improve cyber-defense throughout the nation. [...] ------------------------------ Date: Wed, 13 Apr 2016 11:59:06 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Burr-Feinstein bill draft The Burr-Feinstein discussion draft now released: Compliance with Court Orders Act of 2016 http://www.feinstein.senate.gov/public/index.cfm?a=files.serve&File_id=5B990532-CC7F-427F-9942-559E73EB8BFB Here's my short-version summary It would compel "covered entities" (very broad: device manufacturer, software manufacturer, electronic communication service, provider of a remote computing service, or any person who provides a product or method to facility a communication or processing or storage of data) to comply with court orders [*] to provide data or otherwise assist in efforts to prosecute crimes (resulting in death; foreign intelligence, espionage, and terrorism; Federal crime against a minor; serious violent felony; serious Federal drug crime; state crimes equivalent to the previous ones). However, the draft bill does not prescribe penalties for noncompliance, and seems to leave that up to the courts. That could be quite a slippery slope -- and could easily tend to act as a not-so-veiled threat. * The draft says "an order or warrant", so presumably a subpoena would be sufficient? When I testified for the Senate Judiciary Committee on 9 Jul 1997, Senator Leahy began the first morning session by getting Bob Kerry to admit that he did not know that his own Kerry-McCain bill required only a subpoena, and not a warrant. I think what constitutes a "court order" is a potentially sticky wicket here. Incidentally, my testimony in the second session that day is at http://www.csl.sri.com/neumann/judiciary.html, along with my answers to subsequent written questions from Senators Thurmond, Grassley, Leahy, and Feinstein. At the end of the first session. Senator Feinstein excused herself to go to another hearing, but remarked that if FBI Director Freeh said he needed access to essentially everything, we'd better give it to him. ------------------------------ Date: Wed, 13 Apr 2016 16:45:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Senate Cybersecurity panel unveils long-awaited encryption bill http://thehill.com/policy/cybersecurity/overnights/276219-overnight-cybersecurity-long-awaited-encryption-bill-lands The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), would force companies to provide "technical assistance" to government investigators seeking locked data. Little has changed in the bill since an initial discussion draft was first made public by The Hill last week. The measure still states that a company must provide "information or data" to the government "in an intelligible format" when served with a court order. The obvious outcome of this of course would be the rapid deployment of even more third-party apps to layer strong crypto without government backdoors onto the systems that the government mandates must be made hacker, criminal, and terrorist attack friendly via government backdoors. Next, the government plans to make it illegal to speak in unfamiliar languages, and will mandate the installation of cameras in every room of every home and business that can be enabled under court order. Just wait until you see what they'll demand in the future for data collection and remote control from and over autonomous vehicles! [It is also likely to open up a huge market for non-U.S. meaningfully secure operating systems and well-embedded strong cryptography, and noncompliant apps. Unfortunately, the U.S. government itself may have to resort to non-U.S. products if they cannot get them domestically -- which represents a huge set of risks, PGN] ------------------------------ Date: April 14, 2016 at 5:07:14 AM GMT+9 From: "John Levine" <johnl () iecc com> Subject: Feds say they hired a hardware hacker to crack the San Bernardino phone (from Cryptography via Dave Farber) The WashPo says: The FBI cracked a San Bernardino terrorist's phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter. ... The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said. ... Even without a new flaw, that suggests something like the plan many people suggested to make an image of the device's memory and restore it after each group of PIN guesses. https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?hpid=hp_hp-cards_no-name%3Ahomepage%2Fcard ------------------------------ Date: Tue, 12 Apr 2016 16:32:19 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Online election hacking (BBW) Pages 60-65 of April 4-10 BBW is on history of hacking on-line elections, in the Americas. It has reportedly happened in Columbia, Costa Rica, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, and Venezuela. A person accused of participating in this election rigging, is now allegedly working in the Donald Trump campaign. [...] http://www.bloomberg.com/content-service/blog/2016-04-08/hack-election-comohackear-una-eleccion/ ------------------------------ Date: Mon, 11 Apr 2016 16:54:11 -0400 From: risks () corwyn net Subject: Failure in bank security Today I spent a while on the phone puzzling out an error in my SunTrust account, eventually determined to be me having transferred money from my line of credit (check protection) instead of my checking account. Mea culpa. To try to prevent making the same error again, I asked that they remove the line of credit from my Internet access. They said they could not. I asked if I could decrease the credit limit on the account, and they said "sure". All I needed to do was send them authorization from my email account. My personal email account. I asked if I could instead use the "Secure Message" system within my on-line account, and was told that I couldn't submit the change from there; the message had to come from my personal account. I spent a long time on the phone trying to get to someone who would understand that my personal email address didn't count as "secure" or "authenticated", to no avail. ------------------------------ Date: Mon, 11 Apr 2016 19:51:54 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Re: Japanese computer system problems left many flight passengers stranded (Ishikawa, RISKS-29.45) CI, Thanks for the Japanese to English translation. You were unsure about the Cache. I think the explanation, that you quoted, is BS. Approx 35 years ago I first started working with cache. The concept was that accessing data from disk drives took thousandths of seconds, while accessing from memory took millionths of seconds. Systems may be faster today, but the same ratio may apply. So we in IT had the option of setting aside a portion of memory for cache, which was memory of most recent disk accesses, on the theory that that data might be needed again very soon, so by having the latest updated copy in the cache, it could be accessed faster. Also, copying the updated data to disk could happen as micro seconds permit, without holding up the parade of other activities. In case of some disruption, making sure info in cache written back to disk was a priority. Failures in this system could occur if * The overall system did not have enough "gas" to handle normal loads, and typical busy time periods. By "gas" I mean speed, disk capacity, memory, processors, file balancing, all the "stuff" needed for a well tuned computer system. * Badly written software messed with the amount of memory assigned to cache. * To get good cache results, programs need to nibble on data in reasonable size chunks, and the routines need to be of reasonable size. We might not get this, with poorly written programs. * The cache memory worked thanks to a battery, recharged like a miniature UPS, whose battery does not live forever. As it wears out, there is a system error message to warn IT that we need to schedule hardware maintenance to replace the cache battery. If no one is paying attention to the hardware warning messages, then the cache benefit could come to a sudden surprising halt. * Performance tools show how efficiently cache is functioning, to indicate whether the organization can benefit from buying more memory. They also show where there are potential bottlenecks, such as activity waiting on a communication line which is overloaded (needs to be faster, more band width), or bottleneck waiting on data thru some processor (maybe we need more processors, such as a math chip). If the tools tell IT that certain upgrades are needed to improve performance, but management won't approve the expenditure, then the result can be inconvenience for some of the users. Performance Tools also identify bottlenecks thanks to the specific programs which are badly written, with some info on where in the programs they have problems. * Software updates should go through some kind of testing. They had a backup machine. Did they use that for testing, since the main one was very busy? http://itpro.nikkeibp.co.jp/atcl/news/16/040601011/ According the article above, a critical region handling routine was installed in the week before and this caused a deadlock of the application cache (not sure exactly what/where the cache is) and handling of disk access. ------------------------------ Date: Thu, 14 Apr 2016 05:20:12 -0400 From: Michael Bacon - Grimbaldus <michael.bacon () grimbaldus com> Subject: Re: The Panama Papers and Barbara Streisand (RISKS-29.45) The media love stories about politicians and their finances. However, there is a big difference between tax avoidance and tax evasion. I doubt there is any reader of this who does not take steps to avoid paying taxes they don't need to. Of course, there might be some who attempt to evade paying taxes too, but I suspect the balance to be in favour of the former. The journalists writing in high-handed tones, and the political opponents trying to make capital [pun intended] out of the stories are very likely to be avoiders too ... and possibly evaders. British Prime Minister, David Cameron, has come under fire from the opposition leader Jeremy Corbyn for Cameron's late father's revealed involvement in one offshore investment company, leading to the PM publishing his tax returns. Corbyn responded, only for the media to uncover his failure to properly declare income from three pensions. This is now becoming a bigger story. Another example of the Streisand Effect? ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.46 ************************
Current thread:
- Risks Digest 29.46 RISKS List Owner (Apr 14)