RISKS Forum mailing list archives
Risks Digest 28.33
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 4 Nov 2014 11:58:12 PST
RISKS-LIST: Risks-Forum Digest Tuesday 4 November 2014 Volume 28 : Issue 33 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.33.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Online voting rife with hazards (Barbara Simons) Risks of assuming votes are accurate (John Long) Open Surveillance (Bryan Ford) Smart Televisions are highly susceptible to hacking by radio transmission (robert schaefer) "Cyber espionage group launches sophisticated phishing attacks against Outlook Web App users" (Lucian Constantin via Gene Wirchenko) "Tor Project flags Russian 'exit node' server delivering malware" (Jeremy Kirk) "Advisory says to assume all Drupal 7 websites are compromised" (Steve Ragan) "Drupal sites, assume you've been hacked" (Serdar Yegulalp) How a dumb software glitch kept thousands from reaching 911 (Brian Fung) Verizon, AT&T tracking their users with 'supercookies' (Craig Timberg) Somebody's Already Using Verizon's ID to Track Users (Angwin and Larson) Cell carrier was weakest link in hack of Google, Instagram accounts (Sean Gallagher) Critics chafe as Macs send sensitive docs to iCloud without warning (Dan Goodin) AT&T's outdated unlock policies cost it a loyal customer: me (Lee Hutchinson) With School Ban Nearing End, New York City Works on How and When to Allow Cellphones (NYT) "Have we gotten so pathetically lame that you need to be notified by email that your laundry is done?" *Matthew Kruk) Why Adobe got away with monitoring users (Kurt Seifried) Windows Update intentionally destroys chips (Michael Kohne) Re: The NSA has no interest in protecting you & me (Gene Spafford) Did anyone call a taxi? (Ed Ravin) The 7th annual Underhanded C Contest is now open (robert schaefer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 4 Nov 2014 10:22:43 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Online voting rife with hazards (Barbara Simons) [It's Election Day in the U.S. today. Stand by for possible RISKS items in the next few days, with several critical runoffs expected to delay the outcomes. PGN] Barbara Simons, *USA Today* (op-ed), 4 Nov 2014 Casting ballots on Internet may be a new trend, but it is neither secure nor trustworthy. http://www.usatoday.com/story/opinion/2014/11/04/barbara-simons-online-voting-problems/18461679/ Today Americans are voting in an election that could shift control of the U.S. Senate and significantly impact the direction our nation will take in the next few years. Yet, 31 states will allow over 3 million voters to cast ballots over the Internet in this election, a practice that computer security experts in both the federal government and the private sector have warned is neither secure nor trustworthy. Most states' online voting is limited to military and overseas voters, but Alaska now permits all voters to vote over the Internet. With a hotly contested Senate seat in Alaska, the use of an online voting system raises serious concerns about the integrity of Alaska's election results. Alaska's State Election Division has even acknowledged that its "secure online voting solution" may not be all that secure by posting this disclaimer on its website: "When returning the ballot through the secure online voting solution, your are [sic] voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur." Unfortunately, faulty transmission is only one of the risks of Internet voting. There are countless ways ballots cast over the Internet can be hacked and modified by cyber criminals. The National Institute of Standards and Technology, at the direction of Congress, has conducted extensive research into Internet voting in the last decade and published several reports that outline all the ways votes sent over the Internet can be manipulated without detection. After warning that there are many possible attacks that could have an undiscovered large-scale impact, the institute concluded that secure Internet voting is not yet achievable. Securing transactions online is a major national challenge, as demonstrated by nearly daily reports of new cyber intrusions into networks of some of our largest financial institutions, corporations and government agencies. Election are even more difficult to protect, because unlike other online transactions, elections are especially vulnerable to undetectable hacking. Since we vote by secret ballot, there is no way to reconcile electronic images of ballots received with the version the voter intended to send. In other words, it is impossible to know if voter choices have been tampered with somewhere between the voter's computer and election official's machine, thereby making it virtually impossible to confirm an attack on an online election system. Nonetheless online voting is expanding around the country. Vendors of commercial online voting systems are exploiting the understandable desire to help remote voters by exhorting well-meaning state legislators and election officials to forge ahead with online voting. Aggressive marketing practices in an unregulated market have created a perfect storm. We cannot afford to continue putting our elections at risk by allowing the use of insecure Internet voting systems. Alaska's online voting system is vulnerable to hackers from anywhere in the world. If this election is attacked, the outcome may be determined by the attackers and Alaskans (and the rest of us) may never even know. It's time for state leaders to reject online voting unless and until it is secure. Barbara Simons is chair of the Board of Directors of Verified Voting and a member of the Board of Advisers of the U.S. Election Assistance Commission. She is a former computer researcher for IBM and past-president of the Association for Computing Machinery. ------------------------------ Date: Sat, 01 Nov 2014 23:03:22 -0400 From: John Long <j1long () mindspring com> Subject: Risks of assuming votes are accurate After many years of concerns on RISKS about fraud concerning voting machines, it appears that it has come true. In two states, voting machines have been observed switching a vote from a Republican candidate to the Democratic candidate. [Again? This is hardly new. PGN] The interesting thing is that the voter could actually observe the fraud taking place. Makes you wonder what is actually happening in those situations where the voter could not observe the fraud. http://www.foxnews.com/on-air/fox-and-friends/blog/2014/10/30/expert-confirms-voting-machines-illinois-and-maryland-rigged-democrats In addition, there seemed to have been a false assumption that allowing illegal immigrants to get drivers licenses would not have any deleterious effects. In fact, obtaining a driver's license allowed those individuals to also register to vote. All one had to do to register was show a driver's license. No one actually checked to see whether they were, in fact, citizens. http://www.nationalreview.com/article/391474/non-citizens-are-voting-john-fund ------------------------------ Date: Mon, 3 Nov 2014 15:09:09 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Open Surveillance (Bryan Ford) Bryan Ford (Yale) Cryptography could keep electronic investigations under control *MIT Technology Review*, page 11. vol 117, no 6, November-December 2014. http://www.technologyreview.com/view/531681/open-surveillance/ There's also a nice short item from Dave Farber in the same section, The Wrong Fix: Want regulations to preserve the open Internet? Be careful what you wish for. Also in that issue, George Anders, The Right Way to Fix the Internet: We need to let go of Network Neutrality... pp. 28--34. ------------------------------ Date: Mon, 3 Nov 2014 11:46:10 -0500 From: robert schaefer <rps () haystack mit edu> Subject: Smart Televisions are highly susceptible to hacking by radio transmission ``Researchers discover a massive security flaw in smart TV's that allow hackers to intercept data broadcasts, insert malicious code, and transform the TV into an antenna that infects all other Internet-connected devices in the household. Once the television is infected, it seeks out all other devices connected to the router. The attacks are untraceable as no source IP address or DNS server is ever presented, instead, hackers perform a classic man-in-the-middle attack using radio transmissions. " http://www.electronicproducts.com/Analog_Mixed_Signal_ICs/Communications/Smart_Televisions_are_highly_susceptible_to_hacking_by_radio_transmission.aspx robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767 ------------------------------ Date: Mon, 03 Nov 2014 12:13:14 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Cyber espionage group launches sophisticated phishing attacks against Outlook Web App users" (Lucian Constantin) Lucian Constantin, Infoworld, 24 Oct 2014 Pawn Storm attacks target military agencies, embassies, defense contractors, and media organizations, Trend Micro says http://www.infoworld.com/article/2838223/security/cyber-espionage-group-launches-sophisticated-phishing-attacks-against-outlook-web-app-users.html opening text: A cyberespionage group has been using advanced spear-phishing techniques to steal email log-in credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365's Outlook Web App. ------------------------------ Date: Mon, 03 Nov 2014 12:11:21 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Tor Project flags Russian 'exit node' server delivering malware" (Jeremy Kirk) Jeremy Kirk, Infoworld, 27 Oct 2014 The server used a technique to append malware to legitimate code http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html opening text: The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files. ------------------------------ Date: Mon, 03 Nov 2014 12:25:15 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Advisory says to assume all Drupal 7 websites are compromised" (Steve Ragan) Steve Ragan, CSO, 30 Oct 2014 Drupal urged users to apply an update on Oct. 13, but only those who patched within seven hours may be in the clear http://www.infoworld.com/article/2840939/security/advisory-says-to-assume-all-drupal-7-websites-are-compromised.html opening text: If your organization uses Drupal, you might have a serious problem on your hands. On Oct. 15, Drupal urged users to apply an update that fixed a SQL Injection flaw. However, unless that patch was installed within seven hours, Drupal now says it's best to assume the website was completely compromised. ------------------------------ Date: Mon, 03 Nov 2014 12:27:02 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Drupal sites, assume you've been hacked" (Serdar Yegulalp) Serdar Yegulalp, InfoWorld, 30 Oct 2014 SQL injection bug threatens the websites of enterprises, governments, and many other institutions using the open source Drupal CMS http://www.infoworld.com/article/2841068/application-security/drupal-bug-leaves-enterprise-content-management-vulnerable.html opening text: Word broke yesterday of a major-league security issue involving Drupal, the open source content management system (CMS) used widely in enterprises and government. Come to think of it, "major league" doesn't begin to cover it: Drupal developers have admitted that if your installation wasn't patched before Oct. 15, 11 p.m. UTC, it's best to consider the entire site compromised. ------------------------------ Date: Tue, 4 Nov 2014 12:51:09 -0500 From: Monty Solomon <monty () roscom com> Subject: How a dumb software glitch kept thousands from reaching 911 (Brian Fung) Brian Fung, *The Washington Post*, 20 Oct 2014 Who ever thinks that their call to 911 would go unanswered? But in a terrifying incident this spring, thousands of Americans found themselves in need of help - and got none. For six hours, emergency services went dark for more than 11 million people across seven states. The entire state of Washington found itself disconnected from 911. The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives. Now a study from the Federal Communications Commission offers the most in-depth explanation of the outage and why it occurred. In a 40-page report, the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida. ... http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/20/how-a-dumb-software-glitch-kept-6600-calls-from-getting-to-911/ ------------------------------ Date: Tue, 4 Nov 2014 12:53:48 -0500 From: Monty Solomon <monty () roscom com> Subject: Verizon, AT&T tracking their users with 'supercookies' (Craig Timberg) Craig Timberg, *The Washington Post*, 3 Nov 2014 Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed "supercookies" - markers so powerful that it's difficult for even savvy users to escape them. The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the "private" or "incognito" modes that are popular among users wary of corporate or government surveillance. Verizon and AT&T say they have taken steps to alert their customers to the tracking and to protect customer privacy as the companies develop programs intended to help advertisers hone their pitches based on individual Internet behavior. But as word has spread about the supercookies in recent days, privacy advocates have reacted with alarm, saying the tracking could expose user Internet behavior to a wide range of outsiders - including intelligence services - and may also violate federal telecommunications and wiretapping laws. ... http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html Robert Lemos, Ars Technica, 24 Oct 2014 Verizon Wireless injects identifiers that link its users to Web requests The provider adds cookie-like tokens to alert advertisers to users' interests. http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-link-its-users-to-web-requests/ ------------------------------ Date: Tue, 4 Nov 2014 12:56:59 -0500 From: Monty Solomon <monty () roscom com> Subject: Somebody's Already Using Verizon's ID to Track Users (Angwin and Larson) Julia Angwin and Jeff Larson, ProPublica, 30 Oct 2014 Twitter is using a newly discovered hidden code that the telecom carriers are adding to every page you visit - and it's very hard to opt out. http://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users ------------------------------ Date: Tue, 4 Nov 2014 12:58:51 -0500 From: Monty Solomon <monty () roscom com> Subject: Cell carrier was weakest link in hack of Google, Instagram accounts (Sean Gallagher) Sean Gallagher, 3 Nov 2014, Ars Technica Carrier was social-engineered by hacker to steal man's two-letter Instagram name. If you think the two-factor authentication offered by Google and other cloud services will keep your account out of the hands of an attacker, think again. One developer found out this weekend the hard way; Google's account protection scheme can be bypassed by going after something most people would consider an even harder target-the user's cell phone account. ... http://arstechnica.com/security/2014/11/cell-carrier-was-weakest-link-in-hack-of-google-instagram-accounts/ ------------------------------ Date: Tue, 4 Nov 2014 12:55:19 -0500 From: Monty Solomon <monty () roscom com> Subject: Critics chafe as Macs send sensitive docs to iCloud without warning (Dan Goodin) PSA: Turn off autosave of in-progress documents containing sensitive data. Dan Goodin, Ars Technica,3 Nov 2014 Representing a potential privacy snare for some users, Mac OS X Yosemite uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers by default, even if the files are later closed without ever having been saved. The behavior, as noted in an article from Slate, is documented in a Knowledge Base article from December. But it nonetheless came as a surprise to researcher Jeffrey Paul, who said he was alarmed to recently discover a cache of in-progress files he intended to serve as "temporary Post-It notes" that had been silently uploaded to his iCloud account even though he never intended or wished them to be. ... http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/ ------------------------------ Date: Tue, 4 Nov 2014 13:07:10 -0500 From: Monty Solomon <monty () roscom com> Subject: AT&T's outdated unlock policies cost it a loyal customer: me (Lee Hutchinson) Lee Hutchinson, 3 Nov 2014, Ars Technica Refuse to unlock my device for international travel? Goodbye forever. http://arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/ ------------------------------ Date: Sat, 1 Nov 2014 00:43:17 -0400 From: Monty Solomon <monty () roscom com> Subject: With School Ban Nearing End, New York City Works on How and When to Allow Cellphones http://www.nytimes.com/2014/11/01/nyregion/with-school-ban-nearing-end-new-york-city-works-on-how-and-when-to-allow-cellphones.html ------------------------------ Date: Sun, 2 Nov 2014 18:29:47 -0700 From: "Matthew Kruk" <mkrukg () gmail com> Subject: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?" http://www.smh.com.au/technology/technology-news/why-whirlpools-smart-washing-machine-was-a-dumb-idea-20141101-11flym.html [The Internet of Thinks? PGN] ------------------------------ Date: Fri, 31 Oct 2014 19:29:32 -0600 From: Kurt Seifried <kurt () seifried org> Subject: Why Adobe got away with monitoring users I asked Mitre to assign a CVE for this issue, it seems pretty clearly to be a security issue. One thing I've noticed over the last decade is increasingly "if no CVE, then not a security issue" due to CVE's being used to track issues/act as a name (I've literally never seen a customer/client make a big deal about a security flaw if it doesn't have a CVE). Mitre's response: http://seclists.org/oss-sec/2014/q4/206 == == So, for example, the http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html article would indicate to me that this is CVE worthy under #4. Currently not; Adobe has a statement quoted at: http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/ indicating that the information disclosure is intentional, and is (from their point of view) useful to them. This is just an example of a behavior that might also occur in an open-source product. The Adobe issue itself is off-topic for this list. == == So I guess vendors can avoid security flaws by saying "we meant to do that, sending your information back to us without informed consent, and doing it insecurely is ok, because we meant to." I am disappointed to say the least. ------------------------------ Date: Sat, 1 Nov 2014 09:17:45 -0400 From: Michael Kohne <mhkohne () kohne org> Subject: Windows Update intentionally destroys chips (Baker, RISKS-28.32)) I just want to clarify one point here: The device is NOT 'useless forever'. The ability to change the PID/VID/etc is an intentional feature of the original FTDI chips, which is duplicated in the clones in question. As far as I can tell from what I've read, FTDI simply used the appropriate calls to change the PID. Anyone with an older (non-destructive) version of the FTDI drivers and tools can use them to change the PID back to something sensible. Secondly, has there been any legal action against FTDI over this? While FTDI clearly has the right to make their driver reject other company's hardware, actually trying to break end-users' equipment seems to me to be an actionable offense. I'd hope that this is something that would in fact rise to the level of a criminal complaint, not just civil. Am I wrong that breaking people's stuff without notice is kind of against the law here? ------------------------------ Date: Sun, 2 Nov 2014 12:07:42 -0500 From: Gene Spafford <spaf () purdue edu> Subject: Re: The NSA has no interest in protecting you & me (Baker, RISKS-28.32) I don't think Henry Baker's contribution to RISKS 28.32 sounds insane, although I am unsure of the amount of contribution of MAD to the madness. There is a clear issue involved here, however, of the government putting too much emphasis on a military solution to cyber security issues, and the military once again focusing on fighting the last war. I've spoken about this in invited talks over the last decade, and summarized it (and related thoughts) in the CERIAS blog a while ago: https://ceri.as/9er1z ------------------------------ Date: Sat, 1 Nov 2014 11:24:39 -0400 From: Ed Ravin <eravin () panix com> Subject: Did anyone call a taxi? (Re: Maziuk, RISKS-28.32)
I'd be more worried about taxi drivers perusing the google's location history URL, finding areas where most destinations are, and staying there. The risk is then you can't get a cab anywhere else.
This already happened in New York City, no computer technology needed. Over the last 40-50 years, the places where you could pick up a yellow cab have contracted to Manhattan below 125th St, the airports, and a few outer borough neighborhoods that are either near Manhattan or on the way to/from the yellow taxi base stations. As yellow taxis were the only cabs allowed to answer street hails, outer borough residents had to either reserve a cab with a local taxi service or find a cabbie on the street that would illegally pick them up (which might have been an unlicensed or "gypsy" cab with no insurance). The city recently created a new fleet of apple-green taxis that are authorized to do street hails, but only in the areas that the yellow taxis abandoned. Other than the color and the restrictions, they are pretty much the same service as the yellow taxis. The map on this site shows the Manhattan-centricity of where yellow cabs pick up fares: http://www.nyc.gov/html/tlc/html/passenger/shl_passenger_background.shtml [Also noted very similarly by John Levine. PGN] ------------------------------ Date: Mon, 3 Nov 2014 12:32:00 -0500 From: robert schaefer <rps () haystack mit edu> Subject: The 7th annual Underhanded C Contest is now open. ``The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.'' http://www.underhanded-c.org robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767 ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.33 ************************
Current thread:
- Risks Digest 28.33 RISKS List Owner (Nov 04)