RISKS Forum mailing list archives
Risks Digest 28.10
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 25 Jul 2014 10:51:39 PDT
RISKS-LIST: Risks-Forum Digest Friday 25 July 2014 Volume 28 : Issue 10 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.10.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Something ... wrong with US Passport computers (danny burstein) How Big Telecom came to fear one Tennessee town (Lauren Lyster via geoff goodfellow) Smart grid hack worries to raise insurance rates? (Suzanne Johnson via Dave Farber) How Hackers Hid a Money-Mining Botnet in Amazon's Cloud (Andy Greenberg via Dewayne Hendricks) Re: How Hackers Hid a Money-Mining Botnet in Amazon's Cloud (Ross Stapleton-Gray) Black Hat conference Tor presentation canceled (Clay Wells via Dave Farber) Russian government offers huge reward for help unmasking anonymous Tor users (Lauren Weinstein) iOS devices are still safe -- from everybody except Apple and NSA (Serdar Yegulalp via Gene Wirchenko) When is a fire not a fire? (Michael Bacon) Re: Unix "*" wildcards considered harmful (John Levine) Re: Disk-sniffing dogs find thumb drives, DVDs? (Scott Miller) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 24 Jul 2014 22:03:13 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: Something ... wrong with US Passport computers [No one seems to be making any public explanations, except for this writeup at the Voice of America:] Computer Crash Halts US Visa, Passport Operation The U.S. State Department says a computer glitch will delay passports and visas being issued from its embassies around the world. Officials in Washington say the computer glitch discovered on Saturday (the VOA report was Thursday/ed) potentially could leave millions of people waiting for U.S. travel documents. State Department spokeswoman Marie Harf said the problem is worldwide, and not specific to any country, documents or visa category. She says it will stall the issuance of U.S. passports, visas and reports of Americans born abroad. rest: http://www.voanews.com/content/us-visa-passort-operation-halted-by-computer-crash/1964222.html ------------------------------ Date: Thu, 24 Jul 2014 07:19:55 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: How Big Telecom came to fear one Tennessee town (Lauren Lyster) Lauren Lyster, Yahoo Finance, 23 Jul 2014 A Tennessee city with fewer than 200,000 residents has arguably become private cable companies' worst nightmare. How? The city of Chattanooga's public electric utility provides super-fast broadband Internet service to residents at competitive prices. Now, the utility -- the EPB -- is trying to expand its reach beyond city limits. Private sector telecom companies are fighting this effort and appear worried other cities will follow Chattanooga's lead. To expand to more residents in a state where one in five are without Internet access, the EPB needs the Federal Communications Commission to preempt a statute that prohibits the utility from competing with private telecom companies outside its current market. David Sirota, senior writer at International Business Times, tells us in the video above telecom companies are trying to get the FCC to not to preempt this law. As for why this issue exists, Sirota argues "private cable companies don't like publicly-owned municipalities to compete with them," and so have successfully lobbied for passage of laws in 20 states that ban or restrict local governments from offering Internet service. Check out the video to see how Chattanooga, known as "Gig City," has been able to offer what analysts say is the fastest Internet in the country -- 50 times the average speed for homes in the rest of the U.S. -- for $70 a month. http://www.nytimes.com/2014/02/04/technology/fast-internet-service-speeds-business-development-in-chattanooga.html?_r=0 Meanwhile, hundreds of municipalities are reportedly laying their own fiber networks, and more than 100 have started offering Internet access already. Sirota thinks cities and towns will use what limited power they have to continue doing this, saying the "fight will be can they move this from successful model places like Chattanooga outwards." Sirota anticipates a renewed round of lobbying from big telecom companies. ... <http://www.governing.com/columns/eco-engines/col-public-or-private-sector-who-controls-broadband.html> ------------------------------ Date: Wednesday, July 23, 2014 From: *Suzanne Johnson* <fuhn () pobox com> Subject: Smart grid hack worries to raise insurance rates? [Via Dave Farber] Apparently the insurance industry and the utility folks are beginning to look at the security issues around "smart grids", and realizing the risks..... Quick Take: As an industry, we've done a lot of thinking about the smart meter cost/benefit equation. But I wonder if we've adequately considered what would happen if smart meters made insurance rates go up? Two recent articles in the Insurance Journal suggest that the insurance industry is waking up to this new concern. Jesse Berst http://www.smartgridnews.com/artman/publish/Technologies_Metering/Smart-meters-are-a-time-bomb-for-utilities-warns-insurance-expert-6652.html and, from The Insurance Journal.... Last November, Felix Lindner came very close to shutting down the power supply of Ettlingen, a town of almost 40,000 people in the south of Germany. ``We could have switched off everything: power, water, gas,'' Lindner, head of Berlin-based Recurity Labs, an IT security company, said. Fortunately for residents, Lindner's cyber attack on its energy utility, Stadtwerke Ettlingen, was simulated. But he revealed how easy it was to hack into the utility's network through its IT grid, which gave him access to its control room. ``The experiment has shown that sensitive, critical infrastructure is not sufficiently protected,'' said Eberhard Oehler, managing director of the utility, Stadtwerke Ettlingen. Cyber attacks on infrastructure have become a major worry for utilities following the 2010 Stuxnet computer virus, which experts believe was used by Israel and the United States to make some of Iran's nuclear centrifuges tear themselves apart. [...] http://www.insurancejournal.com/news/international/2014/07/18/335214.htm ------------------------------ Date: Thursday, July 24, 2014 From: *Dewayne Hendricks* <dewayne () warpspeed com> Subject: How Hackers Hid a Money-Mining Botnet in Amazon's Cloud (Andy Greenberg) Andy Greenberg, *WiReD*, 24 Jul 2014 (Via Dave Farber) http://www.wired.com/2014/07/how-hackers-hid-a-money-mining-botnet-in-amazons-cloud/ Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing power from innocent victims when there's so much free processing power out there for the taking? At the Black Hat conference in Las Vegas next month Ragan and Salazar plan to reveal how they built a botnet using only free trials and freemium accounts on online application-hosting services -- the kind coders use for development and testing to avoid having to buy their own servers and storage. The hacker duo used an automated process to generate unique e-mail addresses and sign up for those free accounts en masse, assembling a cloud-based botnet of around a thousand computers. That online zombie horde was capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal. ``We essentially built a supercomputer for free,'' says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. ``We're definitely going to see more malicious activity coming out of these services.'' Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more offer developers the ability to host their applications on servers in faraway data centers, often reselling computing resources owned by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process for more than 150 of those services. Only a third of them required any credentials beyond an e-mail address -- additional information like a credit card, phone number, or filling out a captcha. Choosing among the easy two-thirds, they targeted about 15 services that let them sign up for a free account or a free trial. The researchers won't name those vulnerable services, to avoid helping malicious hackers follow in their footsteps. ``A lot of these companies are startups trying to get as many users as quickly as possible. They're not really thinking about defending against these kinds of attacks.'' ... ------------------------------ Date: Thursday, July 24, 2014 From: *Ross Stapleton-Gray* <ross.stapletongray () gmail com> Subject: Re: How Hackers Hid a Money-Mining Botnet in Amazon's Cloud We need to recognize we're in the last days of the "people-moderated processes," i.e., where things can't happen so fast, as they depend on individuals' actions. We're well into an age where the right tail of "smart software" has overlapped the left tail of "humans," in terms of ability to respond to various tests, e.g., captchas, or even carrying on a simple conversation... given the keyhole of "text over the Internet," it's getting easier and easier for bots to pass. (And yet, tests can't be made harder, lest more and more average humans fail in false negatives.) Any system that depends on mapping obligations to individuals, and doesn't account for the problem that bots can masquerade as individuals, is asking for trouble. The trouble is, here, that the trouble they get ends up having its greatest impact on third parties. So I think we also ought to pay a good deal more attention to the economics and liability side of security... I attended the UC Berkeley workshop organized by Hal Varian, Ross Anderson, and Bruce Schneier, et al., more than a decade ago ( http://www.cl.cam.ac.uk/~rja14/econws.html ), and more of that would be a good thing. We are seeing lots of problems by start-ups (and not so young companies, too) wildcatting "undervalued" resources (e.g., throwing a bunch of servers into a cloud to dramatically reduce the cost of cycles) while failing to pay full price for the consequences (e.g., suffering the cost of strong authentication). ------------------------------ Date: Jul 24, 2014 8:16 AM From: "Clay Wells" <clayw () mail med upenn edu> Subject: Black Hat conference Tor presentation canceled [From SECURITY-SIG via Dave Farber] Notice from Black Hat https://www.blackhat.com/latestintel/07212014-a-schedule-update.html PC World article http://www.pcworld.com/article/2456700/black-hat-presentation-on-tor-suddenly-cancelled.html Maybe Tor anonymity is *more* easily subverted than we might think? ------------------------------ Date: Fri, 25 Jul 2014 09:51:20 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Russian government offers huge reward for help unmasking anonymous Tor users "The Scientific Production Association for Special-Purpose Equipment and Communications of the Russian Interior Ministry is offering a contract for researching methods of obtaining technical information about users and user equipment on the Tor anonymous network, according to an entry on the Russian government's procurement portal. It's not clear what Tor de-anonymization would be used for, but the fact that the tender comes from the Russian Ministry of Interior suggests that it could serve law enforcement investigations." (PC World): http://www.pcworld.com/article/2458420/russian-government-offers-money-for-identifying-tor-users.html ------------------------------ Date: Tue, 22 Jul 2014 10:46:42 -0700 From: Gene Wirchenko <genew () telus net> Subject: iOS devices are still safe -- from everybody except Apple and NSA (Serdar Yegulalp) Serdar Yegulalp | InfoWorld, 21 Jul 2014 Security researcher says undocumented services allow Apple and law enforcement to access the contents of any iOS device http://www.infoworld.com/t/mobile-security/ios-devices-are-still-safe-everybody-except-apple-and-the-nsa-246678 ------------------------------ Date: Tue, 22 Jul 2014 16:27:05 +0100 From: Michael Bacon <michaelbacon () tiscali co uk> Subject: When is a fire not a fire? A driver on a British motorway was startled when the digital driver information display showed "Fire", and they rapidly pulled on to the hard shoulder and abandoned the car for safety. However, when the police arrived it turned out that it was simply part of the name of the Adele track they were listening to. Very possibly a risk occasioned by some people becoming reliant on technology and failing to engage brain. Shouting Fire!' generates a visceral reaction in Jo Public, but in other situations can effect the wrong response. Some years ago, in a joint European naval exercise, officers were exchanged between vessels. A Belgian Gunnery Officer found himself on the bridge of a British warship, manning the torpedo control. As part of a separate test, a rating screamed: "Fire!" 'Guns' immediately pressed the button and a torpedo arched from its tube and hit the water running, straight towards another ship. Fortunately it had a dummy warhead. The captain took the Belgian officer to one side and explained that, to avoid such mistakes, the Royal Navy used the word "Shoot!". ------------------------------ Date: 22 Jul 2014 23:22:56 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Unix "*" wildcards considered harmful (Harris, RISKS-28.09)
But then, how do you delete a file called -rf, for instance?
Aw, come on. This is one of the questions that's been asked and answered on unix mailing lists and BBSes about once a week since the 1970s. (There are many answers but one of the simplest is "rm ./-rf".) If you want to force a command to take subsequent arguments as file names, the typical approach is to use a "--" argument that says it's the end of the flags, but there are other ways, too. It is true that if you don't know what you're doing, you can shoot yourself in the foot in Unix shell scripts. Is this really news? Is it that different from any other programming language? I'm not sure what to call the risk of people who don't do their homework and blame everyone but themselves when they screw up. [Also noted by R A Lichtensteiger, who adds: "This sort of file appears every time someone writes a shell script that directs data into a file named ${FOO}-${BAR}-something and fails to initialize $FOO, $BAR, or both. So, this is the sort of question I would ask an entry-level candidate for a sysadmin position, as a filter." PGN] ------------------------------ Date: Wed, 23 Jul 2014 12:29:28 -0400 From: "Scott Miller" <SMiller () unimin com> Subject: Re: Disk-sniffing dogs find thumb drives, DVDs? (RISKS-28.09) Frankly, both scenarios (dogs positively identifying DVDs or portable memory devices) fail my sniff test (sorry PGN, you had your chance :). Can a dog detect the smell of microelectronics with its nose? Plausibly. Can a dog distinguish between different types of electronic devices by smell? Highly unlikely, in my estimation. I anticipate that evidence found via warrants issued with this premise as justification will be ultimately ruled inadmissible. My speculation is that with Richard Nixon's War On (Some) Drugs on its last lame leg, the cops are desperately seeking additional funding sources, and willing to stoop to fraud to obtain it (shocking, that). A little ground beef smeared on the search objects beforehand would easily duplicate these results. [Perhaps the dog had one leg up on the situation? PGN] ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.10 ************************
Current thread:
- Risks Digest 28.10 RISKS List Owner (Jul 25)