RISKS Forum mailing list archives
Risks Digest 27.79
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 6 Mar 2014 10:55:22 PST
RISKS-LIST: Risks-Forum Digest Thursday 6 March 2014 Volume 27 : Issue 79 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.79.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 95% of bank ATMs face XP end of security support (Henry Baker) "7 hidden dangers of wearable computers" (Jaikumar Vijayan via Gene Wirchenko) "Techies: Take a congressman and a cop to work with you" (Bill Snyder via Gene Wirchenko) "Two more Bitcoin exchanges fall prey to alleged hacker theft" (Kevin Lee via Gene Wirchenko) "What Disney World teaches us about mobile payments" (Galen Gruman via Gene Wirchenko) Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping (Ars Technica via Lauren Weinstein) Linksys E1000, E1200, and E2400 routers reportedly have exploitable vulnerability (Bob Gezelter) Re: Apple Rolls Out CarPlay (Bob Frankston) TrustyCon and the RSA con NSA poll (Scott Miller) Re: Smarter caller-id spoofing (Chris Drewe) Apple security rules leave inherited iPad useless (Amos Shapir) Author Anne Rice has it dead wrong on comments and anonymity (Lauren Weinstein) Race To Stop 'Revenge Porn' Raises Free Speech Worries (Lauren Weinstein) Medtronic Carelink User Guide on passwords (Shawn Merdinger) Book review: Adam Shostack, Threat Modeling: Designing for Security (Ben Rothke) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 04 Mar 2014 06:34:04 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: 95% of bank ATMs face XP end of security support FYI -- "Banks everywhere are in a race against time to upgrade their ATMs _before_ they become hot targets for hackers." "Before" ??? I can't wait for the security popup window (see link below) to show up on the 8th of each month on my bank's XP ATM machine. Of course, the cure may be worse than the disease: "Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit." What could possibly go wrong with this plan, especially when these same banks have yet to upgrade to TLS1.2 on their own websites ? --- Published on Dec 29, 2013 Electronic Bank Robberies: Stealing Money from ATMs with Malware: http://www.youtube.com/watch?v=0c08EYv4N5A http://www.bbc.co.uk/news/technology-25550512 BTW, these US banks are subsidized by US taxpayers through below-market interest rates from the Fed, so US taxpayers are paying for this folly, not bank management. http://www.dallasnews.com/business/business-headlines/20140226-banking-industry-checks-in-with-record-2013-profits-of-154.7-billion.ece "Yes, Microsoft will use a popup to push users off of Windows XP" http://www.pcworld.com/article/2103495/yes-microsoft-will-use-a-popup-to-push-users-off-of-windows-xp.html http://money.cnn.com/2014/03/04/technology/security/atm-windows-xp/index.html 95% of bank ATMs face end of security support By Jose Pagliery @Jose_Pagliery March 4, 2014: 6:59 AM ET Nearly all ATMs run on Windows XP, and that'll soon be a problem. NEW YORK (CNNMoney) Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers. An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is killing off tech support for that operating system on April 8. That means Microsoft (MSFT, Fortune 500) will no longer issue security updates to patch holes in Windows XP, leaving those ATMs exposed to new kinds of cyberattacks. "This isn't a Y2K thing, where we're expecting the financial system to shut down. But it's fairly serious," said Kurtis Johnson, an ATM expert with U.S. manufacturer Triton. If banks fail to upgrade their ATMs to a newer version of Windows by April, customers might be at risk. If hackers discover new flaws in Windows XP, those bugs will go unaddressed, leaving attackers free to exploit them. It can't yet be known what hackers could do with a Windows XP ATM after April 8. But the prospect of providing a potentially compromised machine with your account and PIN information is unsettling. Major banks are now cutting special deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs. JPMorgan (JPM, Fortune 500) bought a one-year extension of service and plans to start upgrading ATMs to Windows 7 at Chase banks in July. Citibank (C, Fortune 500) and Wells Fargo (WFC, Fortune 500) said they're also upgrading ATMs, but they wouldn't provide details about their plans. Bank of America (BAC, Fortune 500) did not respond to requests for comment. Replacing the operating systems on ATMs is a major undertaking. In the United States, there are 210,500 bank ATMs, about 200,000 of which run on Windows XP, according to Retail Banking Research in London. In most cases, banks must upgrade the software one ATM at a time, and some will need the entire computer inside replaced too. Labor included, it's a process that experts in the ATM industry say could cost anywhere between $1,000 and $3,500 apiece. "Once they start using an operating system, they'll ride it as long and as hard as they can," said Wes Dunn, a sales executive at ATM manufacturer Genmega. Microsoft CEO: "Mobile first, cloud first" It might sound odd that ATMs are running on aging software better suited to a home PC. In fact, security experts have chastised the financial industry for putting ATMs on a PC operating system in the first place. They argue ATMs should be using software that is scaled down and less buggy, such as Linux. But banks long ago decided that Microsoft's familiar way of displaying windows and text would sit well with customers. Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that resembles the latest apps on tablets and smartphones, said Jeff Dudash, a spokesman for ATM manufacturer NCR. One ATM manufacturer, Diebold (DBD), says banks are using this opportunity to add newer card readers to their ATMs that accept more secure chip-and-PIN cards. Those cards have already been adopted worldwide but have yet to grow popular in the United States. Banks that retrofit their ATMs with new hardware will, in the future, be able to upgrade their entire fleets of ATMs with a click of a button. Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit. Ironically, bank customers have less to worry about from those nondescript ATMs found in malls, bars and tiny convenience stores. Those 208,000 independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung, make up the other half of the nation's ATMs. And nearly all of them run on an even older, simpler operating system called Windows CE -- which Microsoft still supports. First Published: March 4, 2014: 6:59 AM ET ------------------------------ Date: Tue, 04 Mar 2014 09:15:44 -0800 From: Gene Wirchenko <genew () telus net> Subject: "7 hidden dangers of wearable computers" (Jaikumar Vijayan) Jaikumar Vijayan, Computerworld, March 4, 2014 (via InfoWorld) Wearable computers like smart watches offer myriad benefits, but they also raise security concerns. http://www.infoworld.com/slideshow/142881/7-hidden-dangers-of-wearable-computers-237591 ------------------------------ Date: Thu, 06 Mar 2014 09:34:42 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Techies: Take a congressman and a cop to work with you" (Bill Snyder) Bill Snyder, InfoWorld, 6 Mar 2014
From distracted driving to virtual money, the law and lawmakers can't keep
up with technological change. Let's clue them in. http://www.infoworld.com/d/the-industry-standard/techies-take-congressman-and-cop-work-you-237780 selected text: As we all know, technology moves at a lightning pace. But the law moves much, much slower. A glance at some of the events that have made news recently shows why we need to periodically get policy makers and enforcers into the tech trenches. ------------------------------ Date: Wed, 05 Mar 2014 08:28:23 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Two more Bitcoin exchanges fall prey to alleged hacker theft" (Kevin Lee) Kevin Lee, *Tech Radar*, 4 Mar 2014 Bitcoin taking the one-two punch http://www.techradar.com/us/news/internet/cloud-services/hacker-theft-hits-two-more-bitcoin-exchanges-losing-hundreds-of-thoudands-of-virtual-coins-1231 selected text: A pair of Bitcoin exchanges have gone down after a bout of hacking attacks. Flexcoin announced that its virtual vault was emptied by Internet thieves and that it will be shutting down immediately. The second bad news for Bitcoin came from Poloniex, which admitted it lost 12.3% of its cryptocurrency funds in an estimated $50,000. ------------------------------ Date: Tue, 04 Mar 2014 09:12:23 -0800 From: Gene Wirchenko <genew () telus net> Subject: "What Disney World teaches us about mobile payments" (Galen Gruman) Galen Gruman, InfoWorld, 04 Mar 2014 Even in a highly controlled environment, the popular notion struggles to work as needed. http://www.infoworld.com/d/consumerization-of-it/what-disney-world-teaches-us-about-mobile-payments-237456 ------------------------------ Date: Tue, 4 Mar 2014 12:17:02 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping "Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library. The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates." http://j.mp/1jPcVOr (Ars Technica via NNSquad ------------------------------ Date: Wed, 05 Mar 2014 00:58:40 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Linksys E1000, E1200, and E2400 routers reportedly have exploitable vulnerability There is reportedly another vulnerability in a SOHO router product, this time affecting a family of Linksys products. Apparently, the vulnerability affects the Home Network Administration Protocol (HNAP) used for remote management of routers and firewalls. From the report, it appears to be another case of weak authentication. The ARS Technica report can be found at: http://arstechnica.com/security/2014/02/bizarre-attack-infects-linksys-routers-with-self-replicating-malware/ The SANS blog post is at: https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633 Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: 3 Mar 2014 20:21:30 -0500 From: "Bob Frankston" <bob2 () bob ma> Subject: Re: Apple Rolls Out CarPlay (RISKS-27.78) It's hard to tell how open the interface is from these announcements. According to http://goo.gl/Lg7rpk it is a factory feature. Given it's 2014 why not make this a generic network connection? Do others on the list have more details? There's a risk here in locking cars into Apple's silo instead of a more open protocol. http://goo.gl/TvVyiC laments automobile manufacturers understand these new technologies. What would be nice is more of an open BYOD (Bring Your Own Device) attitude with a place for mounting devices and access to screens but then we get into regulations, liability, the business model of the automobile industry and more risks. ------------------------------ Date: Tue, 4 Mar 2014 07:41:51 -0500 From: "Scott Miller" <SMiller () unimin com> Subject: TrustyCon and the RSA con NSA poll (Re: RISKS-27.78) On the other paw, there is this article stating that a poll taken at the RSA conference to which TrustyCon is the intended counterpoint has 52% of respondents disagreeing that NSA surveillance went too far. Which, if accurate and representative, suggests that the enemies of privacy are not only the NSA and companies such as RSA that depend on the MIC and the Wars On Everything, but a very large number of individual information security practitioners, as well. Perhaps a case should be made to restructure organizations for infosec professionals to reflect who is on which side here (I do think that at this point in the debate, "sides" is an appropriate metaphor). http://www.darkreading.com/privacy/fewer-than-half-of-it-pros-at-rsa-confer/240166418 ------------------------------ Date: Wed, 05 Mar 2014 19:10:40 +0000 From: "Chris Drewe" <e767pmk () yahoo co uk> Subject: Re: Smarter caller-id spoofing (RISKS-27.75) This may be old news now, but I just spotted this on *The Telegraph* web site. Jessica Winch, *The Telegraph*, 5 Mar 2014 http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/10677764/Caller-ID-shows-your-banks-number-but-its-actually-a-fraudster.html Caller ID shows your bank's number -- but it's actually a fraudster Conmen are using fake 'caller ID' numbers to persuade victims that the call is from their bank; Watch out for phony e-commerce sites looking to steal your money and personal data. Fraudsters are targeting bank customers with a new scam using fake caller ID numbers. The conmen call the customer and pretend to be a representative from their bank or credit card company. They convince customers the call is from their bank because the caller ID matches a legitimate bank number, often the one printed on the back of a bank card. The scammers then persuade the customer to hand over sensitive personal and financial information. The scam, known as "number spoofing", has been widespread in the United States for at least a year and is now becoming common in Britain. According to Ofcom, the phone regulator, the fraudsters use software to manipulate the caller ID number. [...] ------------------------------ Date: Wed, 5 Mar 2014 17:58:18 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Apple security rules leave inherited iPad useless Inherited iPad cannot be used because Apple does not know how to deal with wills. Full story at: http://www.bbc.com/news/technology-26448158 Beside the technical points, there is an interesting point of principle here: Do rules set up by a multi-national company trump the law of the land? ------------------------------ Date: Wed, 5 Mar 2014 16:56:24 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Author Anne Rice has it dead wrong on comments and anonymity "Anne Rice signs petition to protest bullying of authors on Amazon" "The Interview with the Vampire author is a signatory to a new petition, which is rapidly gathering steam, calling on Amazon to remove anonymity from its reviewers in order to prevent the "bullying and harassment" it says is rife on the site." http://j.mp/1fISk9B (*The Guardian* via NNSquad) Anne Rice apparently only wants good reviews. Because the problem with removing anonymity in book (or app!) reviews is that it skews reviews toward the positive. It creates a "fan boy" atmosphere were anyone who dares to speak out against a book or app (or whatever) is set upon by the fan boys. And it discourages people who may have special knowledge about sensitive topics from reviewing at all. Think of a parent who has a child with a disease that carries stigma -- afraid to comment non-anonymously for fear of the impact on that child. Sorry, Anne, you're missing the point. Bullying is bad, but trying to kill anonymity is even worse. ------------------------------ Date: Thu, 6 Mar 2014 09:43:20 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Race To Stop 'Revenge Porn' Raises Free Speech Worries "This is a delicate issue," says Lee Rowland of the American Civil Liberties Union, who says the legislation is "spreading like wildfire." "The ACLU is concerned both with the protection of privacy and free speech rights." "But the reality is that revenge porn laws tend to criminalize the sharing of nude images that people lawfully own," says Rowland, a lawyer with the ACLU's Speech, Privacy and Technology Project. "That treads on very thin ice constitutionally." The compelling constitutional questions, however, have not slowed the state-level efforts to criminalize the distribution and posting of explicit photos or videos without the consent of the subject. http://j.mp/1fbdVau (NPR via NNSquad) The intersection of privacy and free speech is clearly among the most complex policy-related Internet areas. No simple answers. ------------------------------ Date: Tue, 4 Mar 2014 14:47:14 -0500 From: Shawn Merdinger <shawnmer () gmail com> Subject: Medtronic Carelink User Guide on passwords "You may use these stickers to write your username and password and post on your computer monitor." http://www.medtronic.com/emails/carelink/downloads/carelink-patient-brochure-aug2012.pdf https://twitter.com/shawnmer/status/440702641153142784 While I can understand the rationale behind this, and in some ways it makes sense. For a home health monitoring system, the user is likely sick, older, perhaps mentally not all there, or otherwise incapacitated...and perhaps relying on a family member or outside caregiver or skilled computer user. So the time delays in finding or remembering a lost/forgotten password may have a higher HEALTH risk than the risk of these credentials openly displayed in the home...and the vendor helpdesk costs of handling customer password resets were also likely a driver here. That said, there are risks. It's a matter of who pays the price, wittingly or not. ------------------------------ Date: Mon, 3 Mar 2014 19:50:16 -0500 From: Ben Rothke <brothke () hotmail com> Subject: Book review: Adam Shostack,Threat Modeling: Designing for Security When it comes to measuring and communicating threats, the most ineffective example in recent memory was the Homeland Security Advisory System -- which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear. What was the difference between levels such as high, guarded, and elevated? From a threat perspective, which color was more severe - yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented ``little practical information'' to the public While the DHS has never really provided meaningful threat levels, in *Threat Modeling: Designing for Security*, author Adam Shostack (full disclosure: Adam and I are friends) has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts. Full review at: http://www.rsaconference.com/blogs/507/rothke/threat-modeling-designing-for-security [Adam's initial epigram (attributed to George Box) is ``All models are wrong, some models are useful.'' This is a large book, xxxiii+590 pp., Wiley, 2014. It distills considerable practically oriented wisdom and experience, and should be a very valuable resource for developers of would-be more-secure systems. Indeed, the emphasis is on practicality, as Adam eschews higher-end more formally based approaches. In contrast to Adam's threat-driven approach, I noted in RISKS-27.73 the top-down approach that Nancy Leveson and Bill Young describe in their Inside Risks article in the February 2014 issue of the *Communications of ACM*, which begins with the enterprise-level emergent properties (e.g., for security and human safety) rather than driven bottom-up from the threat models, and implicitly exposes the threat models to encompass intentional and accidental threats. Perhaps both of these approaches *together* might dramatically improve on the state of the art in commercial system developments today. Adam's approach might be limited by the incompleteness of the threat set, and Nancy and Bill's by the difficulties in refining the analysis to encompass all realistic threats and failure modes. PGN.] The major sections of Adam's book have these titles: Part 1: Getting Started Part 2: Finding Threats Part 3: Managing and Addressing Threats Part 4: Threat Modeling in Technologies and Tricky Areas Part 5: Taking It To the Next Level Appendix A: Helpful Tools Appendix B: Threat Trees Appendix C: Attacker Lists Appendix D: Elevation of Privilege: The Cards Appendix E: Case Studies Bibliography (24 pages) and index ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.79 ************************
Current thread:
- Risks Digest 27.79 RISKS List Owner (Mar 06)