RISKS Forum mailing list archives
Risks Digest 27.43
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 27 Aug 2013 12:21:44 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 27 August 2013 Volume 27 : Issue 43 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.43.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Nasdaq Market Overcomes Trading Failure (Nathaniel Popper) NZ Inland Revenue system: Watch this space (Richard A. O'Keefe) Key emergency notification system, NOAA's "All Hazards Radio" DOWN (Danny Burstein) Zuckerberg's Facebook page hacked to prove security flaw (Lauren Weinstein) Facebook: Governments Demanded Data on 38K Users (Matt Apuzzo via Dewayne Hendricks) Feds Back Away From Forced Decryption -- For Now (David Kravets via Dewayne Hendricks) China suffers 'largest' cyberattack; Censorship makes it difficult to gauge attack scope (Lauren Weinstein) "Zombie scripts can attack at any time" (Paul Venezia via Gene Wirchenko) Novopay subcontractor bought by reviewer (Richard A. O'Keefe) "'Jekyll' test attack sneaks through Apple App Store, wreaks havoc on iOS" (John Cox via Gene Wirchenko) "The devil is in the subscription-licensing details" (RL Mitchell via GW) "Ramnit Financial Malware Now Aimed at Steam Gamers" (Chris Paoli via GW) "Don't fall prey to ad networks peddling dicey links" (Roger A. Grimes via GW) "Would Transparency by Feds Ease Fears Over Cloud Surveillance?" (GW) Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents (David Lesher, Carlos G Mendioroz) Re: Risks to NYC Bike Share (George Neville-Neil) Re: Easter Eggs in Infrastructure Software (David A. Lyons) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 22 Aug 2013 15:39:26 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Nasdaq Market Overcomes Trading Failure Nathaniel Popper, *The New York Times*, 22 Aug 2013 http://dealbook.nytimes.com/2013/08/22/nasdaq-market-halts-trading/ Trading in a wide array of stocks, including popular ones like Apple and Microsoft, ground to a halt on 22 Aug 2013 after a technology problem at the Nasdaq stock exchange. It was the latest prominent disruption in the markets caused by computer glitches. ------------------------------ Date: Fri, 23 Aug 2013 17:00:45 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: NZ Inland Revenue system: Watch this space The current New Zealand Inland Revenue Department is 40 million lines of COBOL and DMSII and who-knows-what which has been stretched far past its original design. I am by background and inclination in roughly the same political camp as say I. F. Stone, but in the case of a computer system like this it is hard to argue with small-government conservatives who claim that the tax system should be simplified. A simpler system is not necessarily one that is unfair to workers, after all. ``[The] system has been transformed over the years from a tax system collecting only income and company tax, to one which covers child support, ... student loans, ... Kiwisaver [a retirement scheme], and Working for Families.'' http://www.stuff.co.nz/national/politics/8619006/IRD-computer-systems-1-5b-overhaul The Cabinet approved what has been described as a "major overhaul" but sounds more like a total rewrite. The project is supposed to take 10 years, and to cost a milliard dollars, although they're allowing for one and a half milliard. To put this in perspective, the population of the country is about 4.5 million, so the annual spend will be 22 to 34 dollars per man, woman, and child per year. Several people are freaking out about the big number, but 40,000,000 lines of code * 20 lines of tested working documented code/day = 2,000,000 programmer-days * 200 work-days per year = 10,000 programmer work-years * $100,000 salary and overheads per programmer year = $1,000,000,000 (one milliard) equivalent must have been spent building the old system -- using some very crude estimates I don't care to justify -- so the expected cost of the new system is not out of line. Nonetheless, slouching your way to Bedlam one new feature request at a time is one thing, *intending* to go there is quite another. It would make a huge amount of sense spending a full year of design trying to reduce the size of the planned system (whatever they think the size will be), but it will take a special miracle from St Thomas More to make _that_ happen. Expect to hear interesting things about this. ------------------------------ Date: Sun, 18 Aug 2013 21:06:01 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: Key emergency notification system, NOAA's "All Hazards Radio" DOWN The National Oceanic and Atmospheric Administration (NOAA) has operated a nationwide network of radio transmitters providing full time weather reports and forecasts for decades now, dating back to their "Weather Bureau" days. As I wrote in my note to RISKS back in Oct 2005 [a], where I discussed the lack of backup power to many of their facilities: "These stations are part of the _real_ emergency network and are supposed to stay up after anything short of a direct nuclear hit." There are numerous radio receivers that can pick up these stations, with many of them in a "silent/squelch mode" until activated. In case of a local hazardous/emergency situation such as a hurricane, tornado, flood, chemical spill, nuclear reactor plant breach, or.. national events up to and including nuclear attack, the transmitters send out an alert tone which "unlocks" the receivers and activates the loudspeakers. Hence just about every "911 PSAP" (public safety answering position), utility headquarters, transit operations center, many tv/radio stations, and... thousands and thousands of people living in tornado/hurricane/flood zones, have these radios. Hence it's critical that the system stay up. Recently friends of mine in NYC noted that the local station, covering perhaps 15 million people, was repeatedly off the air for the past two months. Finally, after many complaints to NOAA, they posted a note on their "outages" web page confirming the problem. And then, a few days later, came up with the startling reason that... (quoting from the page [b]): SPECIAL NOTICE NEW YORK CITY, NY Transmitter (KWO35) Frequency 162.550 Due to interference issues with the U.S. Coast Guard, the New York City transmitter has been temporarily taken out of service while a solution is being formulated. Yes. Really. The Big Problem here (aside from the lack of urgency by all the folk involved) is that many, make that MANY, people and agencies are counting on this working. Folk using the radios in "squelch" (silent) mode are relying on them to "open up" in an emergency, yet have no way to know the system is dead. It's kind of like relying on your overhead sprinklers and not knowing that the main water valve is off. [a] http://catless.ncl.ac.uk/Risks/24.07.html#subj4 [b] http://www.nws.noaa.gov/nwr/outages.php - since the NOAA outage page is dynamic and, hopefully, real soon now, will change when the system is finally fixed, I've mirrored that image up at: http://www.dburstein.com/images/noaa-tx.png ------------------------------ Date: Mon, 19 Aug 2013 10:09:44 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Zuckerberg's Facebook page hacked to prove security flaw A Palestinian researcher posted a message on Facebook CEO Mark Zuckerberg's page last week after he says the site's security team didn't take his warnings about a security flaw seriously. "First, sorry for breaking your privacy and post(ing) to your wall," wrote Khalil Shreateh. "I (have) no other choice to make after all the reports I sent to (the) Facebook team." Shreateh, who describes himself as an unemployed security researcher with a degree in information systems, said he found a hole in Facebook's systems that let him post to any user's page, including users not on his Friends list. Such an exploit would be a virtual gold mine for spammers, scam artists and others seeking to take advantage of the site's roughly 1 billion users worldwide. http://j.mp/14PQL4t (CNN via NNSquad [See also "Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt" (Robert X. Cringely), InfoWorld, 19 Aug 2013. PGN via GW] http://www.infoworld.com/t/cringely/hacker-i-pwned-zuckerberg-least-give-me-stupid-t-shirt-225135 ------------------------------ Date: August 27, 2013 12:32:01 PM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Facebook: Governments Demanded Data on 38K Users (Matt Apuzzo) Matt Apuzzo, Associated Press, 27 Aug 2013 http://hosted.ap.org/dynamic/stories/U/US_FACEBOOK_LAW_ENFORCEMENT WASHINGTON (AP) -- Government agents in 74 countries demanded information on about 38,000 Facebook users in the first half of this year, with about half the orders coming from authorities in the United States, the company said Tuesday. The social-networking giant is the latest technology company to release figures on how often governments seek information about its customers. Microsoft and Google have done the same. As with the other companies, it's hard to discern much from Facebook's data, besides the fact that, as users around the globe flocked to the world's largest social network, police and intelligence agencies followed. Facebook and Twitter have become organizing platforms for activists and, as such, have become targets for governments. During anti-government protests in Turkey in May and June, Turkish Prime Minister Recep Tayyip Erdogan called social media "the worst menace to society." At the time, Facebook denied it provided information about protest organizers to the Turkish government. Data released Tuesday show authorities in Turkey submitted 96 requests covering 173 users. Facebook said it provided some information in about 45 of those cases, but there's no information on what was turned over and why. "We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests," Colin Stretch, Facebook's general counsel company said in a blog post. "When we are required to comply with a particular request, we frequently share only basic user information, such as name." Facebook spokeswoman Sarah Feinberg said the company stands by its assertions that it gave no information regarding the Turkey protests. "The data included in the report related to Turkey is about child endangerment and emergency law enforcement requests," she said. ... ------------------------------ Date: August 27, 2013 7:46:19 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Feds Back Away From Forced Decryption -- For Now (David Kravets) David Kravets, *WiReD*, 27 Aug 2013 [PGN-ed] http://www.wired.com/threatlevel/2013/08/forced-decryption-legal-battle/ Federal prosecutors have formally dropped demands that a child-porn suspect give up his encryption keys in a closely watched case, but experts warn the issue of forced decryption is very much alive and is likely to encompass a larger swath of Americans as crypto adoption becomes mainstream. ... The question of whether the government can force a suspect to decrypt hard drives was thrust into the limelight earlier this year when federal authorities suspected a Wisconsin man of downloading child pornography from the file-sharing network e-Donkey. One federal judge ordered the defendant to decrypt as many as nine hard drives seized from the suspect's suburban Milwaukee apartment. Another judge put that decision on hold to analyze the implications of whether the demand breached the Fifth Amendment right against compelled self incrimination. The hotly contested legal issue was mooted when prosecutors said the FBI cracked two of the suspect's drives -- both Western Digital My Book Essentials. They announced they found kiddie-porn images and days ago dropped their forced-decryption legal battle. It's allegedly enough illicit porn to put Feldman away for decades, if he's found guilty. ... Wes McGrew, a Mississippi State professor of computer security and reverse engineering, suspected that authorities cracked Feldman's passwords, rather than the underlying encryption, to decrypt the Western Digital drives. ... For the moment, requiring suspects to decrypt data is rare, and has never been squarely addressed by the Supreme Court. ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: Mon, 26 Aug 2013 10:38:24 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: China suffers 'largest' cyberattack; Censorship makes it difficult to gauge attack scope http://j.mp/143vBRf (ZDNet via NNSquad) "Many Chinese websites are down following what authorities are describing as the "largest denial-of-service attack" it has ever faced. But because of heavy Internet regulation and censorship, it's not clear to Western eyes how deep the attack went." Rumor is that the attack is being attributed to the "Pekingese Liberation Army." ------------------------------ Date: Mon, 26 Aug 2013 11:45:40 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Zombie scripts can attack at any time" Paul Venezia, InfoWorld, 26 Aug 2013 Make no mistake, abandoned scripts and other IT zombies can make for spirited problem solving http://www.infoworld.com/d/data-center/zombie-scripts-can-attack-any-time-225426 selected text: Lo and behold, I discovered more than 20,000 emails, the vast majority of which were returns from a cronjob that someone else had implemented years ago. This cronjob was now failing, and the report the cronjob created couldn't be delivered because the recipient domain no longer existed, and the mailer error came back to me, the postmaster. ------------------------------ Date: Fri, 23 Aug 2013 17:42:49 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Novopay subcontractor bought by reviewer (Re: RISKS-27.36,39,40) Stephen Joyce issued the "Novopay Technical Review - Terms of Reference" An anonymous report was issued on 19 Mar 2013. The review was done by Deloitte, under the direction of Murray Jack in his role as chairman of Deloitte. The subsequent Ministerial Inquiry into Novopay was headed by Murray Jack in his role as a private individual. http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewTermsOfReference.pdf http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewFinalReport.pdf According to the National Business Review, Deloite recently bought Asparona, a development-on-Oracle company, and one of the subcontractors that did software development work on Novopay. In fairness to Asparona, the Novopay shambles is a project management shambles, not a programming shambles as such, and Asparona "were brought onboard ... *after* the Ministry of Education" noticed things were going badly. http://www.nbr.co.nz/article/deloitte-buys-novopay-subcontractor-no-open-ck-p-144414 Still: (1) The government paid Deloitte to examine Novopay. (2) Deloitte said it can be fixed and recommended throwing more money and people at it. (3) The government says "OK boss". (4) Deloitte bought the subcontractor. I'm sure that this was all done according to the highest of business ethics complete with Chinese walls, but at a minimum it seems as if Deloitte had a taxpayer-subsidized opportunity to inspect Asparona that other conceivable purchasers did not have. The press seem to be reporting this just as an endorsement of how good Asparona were. Maybe I'm crazy to find this just a touch on the nose. ------------------------------ Date: Tue, 20 Aug 2013 17:40:11 -0700 From: Gene Wirchenko <genew () telus net> Subject: "'Jekyll' test attack sneaks through Apple App Store, wreaks havoc on iOS" (John Cox) John Cox, Network World, 19 Aug 2013 Like a Transformer robot, malicious Apple iOS app re-assembles itself into an aggressive attacker running inside the iOS 'sandbox' http://www.infoworld.com/d/security/jekyll-test-attack-sneaks-through-apple-app-store-wreaks-havoc-ios-225107 ------------------------------ Date: Tue, 20 Aug 2013 19:50:55 -0700 From: Gene Wirchenko <genew () telus net> Subject: "The devil is in the subscription-licensing details" (RL Mitchell) This is a resubmittal. This item appeared in 27.42, but you did not include the URL. GW [Ooooops! PGN] Robert L. Mitchell, Computerworld, 13 Aug 2013 The devil is in the subscription-licensing details The transition to cloud-based services is ratcheting up traditional enterprise software costs and adding layers of complexity http://www.infoworld.com/t/applications/the-devil-in-the-subscription-licensing-details-224737 ------------------------------ Date: Wed, 21 Aug 2013 14:24:26 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Ramnit Financial Malware Now Aimed at Steam Gamers" (Chris Paoli) Chris Paoli, *Redmond Magazine*, 21 Aug 2013 Ramnit Financial Malware Now Aimed at Steam Gamers A variant of the popular "money in the bank" malware is now targeting the largest online game distributor. http://redmondmag.com/articles/2013/08/21/ramnit-financial-malware.aspx ------------------------------ Date: Tue, 20 Aug 2013 17:26:16 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Don't fall prey to ad networks peddling dicey links" (Roger A. Grimes) Roger A. Grimes, InfoWorld, 20 Aug 2013 If your website accepts links from third parties -- such as ad networks -- make sure they don't lead to malicious sites http://www.infoworld.com/d/security/dont-fall-prey-ad-networks-peddling-dicey-links-225216 ------------------------------ Date: Mon, 19 Aug 2013 13:54:04 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Would Transparency by Feds Ease Fears Over Cloud Surveillance?" http://redmondmag.com/blogs/the-schwartz-report/2013/08/cloud-surveillance.aspx ------------------------------ Date: Mon, 19 Aug 2013 10:04:59 -0400 From: David Lesher <wb8foz () panix com> Subject: Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents (RISK-27.41) Decades ago, I recall the monster IBM 3800 laser printer on NASA-LeRC's 3033 had another subtle firmware/hardware bug. The 3800 served the entire lab, and thanks to robust home-grown utilities [some written in Fortran..] did almost everything you needed, from correspondence on letterhead to memos to graphs/charts. But sometime it would, seemingly randomly, drop a whole line of text. When Legal found out, they went into orbit. Thereafter, all legal documents had to use the PRINT-90 utility; the theory being a missing column of text would be far more obvious than a missing line. ------------------------------ Date: Sun, 18 Aug 2013 20:29:20 -0300 From: Carlos G Mendioroz <tron () huapi ba ar> Subject: Re: Xerox scanners/photocopiers randomly alter numbers in scanned documents (RISK-27.41) Already done, some 30 years ago. We had a document system that altered the dot matrix definition of characters according to the user printing the doc. Subtle, invisible to the naked eye... Carlos G Mendioroz <tron () huapi ba ar> LW7 EQI Argentina ------------------------------ Date: Sun, 18 Aug 2013 22:53:56 -0400 From: George Neville-Neil <gnn () neville-neil com> Subject: Re: Risks to NYC Bike Share (RISKS-27.42) Paul Schreiber <paulschreiber () gmail com> wrote to me:
In my experience, you can only press the wrench button immediately after returning a bicycle.
That may have (finally) been fixed but it was definitely not the case when they started. They claimed they were going to fix it, perhaps they did. ------------------------------ Date: Sun, 18 Aug 2013 16:24:14 -0700 From: "David A. Lyons" <dlyons () lyons42 com> Subject: Re: Easter Eggs in Infrastructure Software (weather.gov), RISKS 27.41
The US National Weather Service's website <www.weather.gov> returns a forecast for Manhattan when the location "evil" is searched. ... The risks? ... introduction of incorrect behavior into critical code, probably for the sake of a very bad taste "joke".
The result is puzzling and obscure, but perhaps not the result of a database error or a joke. The URL after the search is <http://forecast.weather.gov/MapClick.php?lat=40.764477&lon=-73.999121&site=all&smap=1&searchresult=Intrepid%20Sea%2C%20Air%20%26%20Space%20Museum%2C%20New%20York%2C%20NY%2010036%2C%20USA#.UhFWGVzTzUk>, indicating the "Intrepid Sea, Air & Space Museum, New York, NY 10036, USA". After further web searches, I see the museum features the USS Intrepid, known as "the Evil I". <http://www.homeandabroad.com/browse/details/sites.ha?mainInfoId=20337>. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.43 ************************
Current thread:
- Risks Digest 27.43 RISKS List Owner (Aug 27)