RISKS Forum mailing list archives
Risks Digest 28.45
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 12 Jan 2015 16:15:30 PST
RISKS-LIST: Risks-Forum Digest Monday 12 January 2015 Volume 28 : Issue 45 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.45.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Ford recalls SUVs because drivers are accidentally turning them off (Ben Rothke) Green Bank, WV: The Town Without Wi-Fi (Monty Solomon) Risks in Using Social Media to Spot Signs of Mental Distress (Monty Solomon) EU response to free speech killings? More Internet censorship! (Gigaom via Lauren Weinstein) Snowden: U.S. puts too much emphasis on cyber-offense, needs defense (Dewayne Hendricks) Biometric Identification (Anthony Thorn) Memory corruption (Martyn Thomas) Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online Site (Nathaniel Popper via Monty Solomon) US banks trace credit fraud to Chick-fil-A locales in possible data breach (Ars via Monty Solomon) Re: "Could e-voting be on its way in the UK?" (Amos Shapir, Tony Finch) An oldie but goodie ODBC risk (Bernard Peek) Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm (Cieply and Barnes via Monty Solomon) World's first *known* bootkit for OS X can permanently backdoor Macs (Dan Goodin) Spotlight search in OS X Yosemite exposes private user details to spammers (Monty Solomon) Apps Everywhere, but No Unifying Link (Monty Solomon) Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL Traffic (Bob Gezelter) ASUS Routers reportedly vulnerable to local area network command execution exploit (Bob Gezelter) Re: Too many pilots can't handle an emergency (Craig Burton) Re: Lenovo recalls more than 500,000 power cords (david lewis, Dick Mills) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 6 Jan 2015 19:09:51 -0500 From: Ben Rothke <brothke () hotmail com> Subject: Ford recalls SUVs because drivers are accidentally turning them off Perhaps Ford didn't do enough UI testing... http://www.autonews.com/article/20141231/RETAIL05/141239986/lincoln-mkc-recalled-to-move-push-button-start-from-near-touchscreen Ford is recalling about 13,500 2015 Lincoln MKC because drivers are shutting the vehicle off by mistake. Drivers are mistakenly touching the crossover SUV's push-button ignition button while the car is driving, Ford found. ``Due to the switch's close proximity to other controls occupants are inadvertently shutting off the engine while driving,'' Ford said in a statement. ------------------------------ Date: Sun, 11 Jan 2015 23:42:20 -0500 From: Monty Solomon <monty () roscom com> Subject: Green Bank, WV: The Town Without Wi-Fi The residents of Green Bank, West Virginia, can't use cell phones, wifi, or other kinds of modern technology due to a high-tech government telescope. Recently, this ban has made the town a magnet for technophobes, and the locals aren't thrilled to have them. http://www.washingtonian.com/articles/people/the-town-without-wi-fi/ ------------------------------ Date: Fri, 26 Dec 2014 21:32:18 -0800 From: Monty Solomon <monty () roscom com> Subject: Risks in Using Social Media to Spot Signs of Mental Distress http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html The ill-fated introduction in Britain of an app to detect predictors of suicide shows what may happen when social media posts are scrutinized for cues about a person's mental health. ------------------------------ Date: Mon, 12 Jan 2015 09:46:02 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: EU response to free speech killings? More Internet censorship! (Gigaom): https://gigaom.com/2015/01/11/eu-response-to-free-speech-killings-more-internet-censorship/?utm_medium=social&utm_campaign=socialflow&utm_source=twitter&utm_content=eu-response-to-free-speech-killings-more-internet-censorship_905730 The interior ministers of France, Germany, Latvia, Austria, Belgium, Denmark, Spain, Italy, the Netherlands, Poland, Sweden and the U.K. said in a statement (PDF) that, while the Internet must remain ``in scrupulous observance of fundamental freedoms, a forum for free expression, in full respect of the law.'' ISPs need to help ``create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible.'' - - - European leaders seem lately to be reliably wrong on most free speech issues coming down the pipe. It's especially damaging when they try to extend their misguided, counterproductive views on this subject to the world beyond Europe. Censorship doesn't work in the Internet era. Trying to remove or de-index materials you fear or dislike only drives them underground in more dangerous ways. ------------------------------ Date: Jan 8, 2015 2:45 PM From: "Dewayne Hendricks" <dewayne () warpspeed com> Subject: Snowden: U.S. puts too much emphasis on cyber-offense, needs defense [via Dave Farber] Sean Gallagher, Ars Technica, 8 Jan 2015 In PBS NOVA interview, Snowden warns that U.S. cyber warfare strategy could backfire. http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/ In an on-camera interview with James Bamford for an upcoming episode of PBS' NOVA, Edward Snowden warned that the U.S. Department of Defense and National Security Agency have over-emphasized the development of offensive network capabilities, placing the U.S.'s own systems at greater risk. With other countries now developing offensive capabilities that approach those of the NSA and the U.S. Cyber Command, Snowden believes the U.S. has much more at stake. The raw transcript of the NOVA interview showed Snowden in full control, to the point of giving direction on questions and even suggesting how to organize the report and its visual elements. Snowden frequently steered questions away from areas that might have revealed more about NSA operations, or he went into areas such as White House policy that he considered "land mines." But the whistleblower eloquently discussed the hazards of cyber warfare and the precariousness of the approach that the NSA and Cyber Command had taken in terms of seeking to find and exploit holes in the software of adversaries. In fact, he says the same vulnerabilities are in systems in the U.S.. "The same router that's deployed in the United States is deployed in China," Snowden explained. "The same software package that controls the dam floodgates in the United States is the same as in Russia. The same hospital software is there in Syria and the United States." Some of the interview, which took place last June in Russia, possibly foreshadowed the cyber attack on Sony Pictures. Snowden said that the capabilities for cyber attacks such as the "Shamoon" malware attack in 2012 and other "wiper" attacks similar to what happened to Sony Pictures were "sort of a Fisher Price, baby's first hack kind of a cyber campaign," capable of disruption but not really of creating long-term damage. But he said more sophisticated organizations, including nation-state actors, are "increasingly pursuing the capability to launch destructive cyber attacks as opposed to the disruptive kinds that you normally see online...and this is a pivot that is going to be very difficult for us to navigate." "I don't want to hype the threat," Snowden told Bamford. "Nobody's going to press a key on their keyboard and bring down the government. Nobody's going to press a key on their keyboard and wipe a nation off the face of the earth." But Snowden emphasized that the U.S. should be focusing more on defending against adversaries than trying to penetrate their networks to collect information and do damage. "When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China," Snowden explained. "The U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault or the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full." But because the U.S. has focused on being able to break into other networks, he said, it has made its own technology vulnerable -- and other countries can use the same vulnerabilities to attack the U.S.'s networks. [...] ------------------------------ Date: Wed, 07 Jan 2015 12:14:43 +0100 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Biometric Identification The recent CCC (Chaos Computer Club) presentation about defeating biometric identification using cameras demonstrates the vulnerability of Iris, Face and Fingerprint methods. The theoretical risk is obvious, but here are the practical demonstrations. Dubbed in English: https://www.youtube.com/watch?v=VVxL9ymiyAU&feature=youtu.be Should be good for sales of gloves, latex, pencils... ------------------------------ Date: Tue, 06 Jan 2015 08:48:36 +0000 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Memory corruption https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf "In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers." ------------------------------ Date: Wed, 7 Jan 2015 03:33:01 -0500 From: Monty Solomon <monty () roscom com> Subject: Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online Site Nathaniel Popper, *The New York Times* blog, updated version, 5 Jan 2015 In mid-December, a posting appeared on the Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley. Two weeks later, a new posting on the information-sharing site offered a teaser of actual records from 1,200 accounts, and provided a link for people interested in purchasing more, according to a person briefed on the matter. The link pointed to a website that sells digital files for virtual currencies like Bitcoin. In this case, the files were being sold for a more obscure currency, Speedcoin. The offer was quickly taken down the same day, 27 Dec, after Morgan Stanley discovered the leak. In short order, the bank traced the breach to a financial adviser working out of its New York offices, a 30-year-old named Galen Marsh, according to a person involved in the investigation who spoke on the condition of anonymity. ... http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/ ------------------------------ Date: Thu, 1 Jan 2015 00:46:11 -0500 From: Monty Solomon <monty () roscom com> Subject: US banks trace credit fraud to Chick-fil-A locales in possible data breach http://arstechnica.com/security/2014/12/us-banks-trace-credit-fraud-to-chick-fil-a-locales-in-possible-data-breach/ ------------------------------ Date: Wed, 7 Jan 2015 19:00:57 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: "Could e-voting be on its way in the UK?" The most important point that should not be missed, is that Internet voting should be compared to postal votes, not traditional public voting station methods. In the rush to make Internet voting more secure, we should not forget that - like postal voting - it lacks the basic features: making voting public, but the vote contents itself confidential. The public aspect of traditional voting methods assures that everyone who is eligible to vote can do it, freely and confidentially. Internet voting misses this aspect, no matter how secure it can be made. This is not a technical issue! ------------------------------ Date: Thu, 8 Jan 2015 13:23:07 +0000 From: Tony Finch <dot () dotat at> Subject: Re: Could e-voting be on its way in the UK? (Walker, RISKS-28.44) A couple of months ago I read an electoral court judgment on voting fraud in the UK which was handed down in July 2013: http://www.bailii.org/ew/cases/EWHC/QB/2013/2572.html The judge goes off on a massive rant about the disgraceful state of voting security in the UK and the lack of interest from the authorities in dealing with it. I expect online voting will make it even worse. The whole judgment is quite readable and informative. The rant starts:
Sadly, therefore, this is yet another case where the United Kingdom's shambolic electoral system has led to an election being challenged on the ground of widespread fraud. The system of electoral registration has always been very insecure and remains so. The problems this caused were, in the past, largely mitigated by the fact that 'absent' voting (voting by post or by proxy) was very limited in scope and hedged about with procedural difficulties. The introduction of postal voting on demand in 2001, however, laid the electoral system wide open to massive and well-organised fraud. Warnings that this might be the case were blithely ignored by Parliament and, to some extent, by the Electoral Commission.
------------------------------ Date: Tue, 06 Jan 2015 21:20:19 +0000 From: Bernard Peek <bap () shrdlu com> Subject: An oldie but goodie ODBC risk Not very long ago I came across an accounting and HR package which used ODBC connections from each client computer to its central Microsoft SQL Server database. Installing the client software required the creation of a "data source" file on each client. This file can then be used by any ODBC client, such as Microsoft Office software, without needing the user to know the password. I discovered that the supplier's engineers had persuaded the IT team to let them use the default SA (System Administrator) ID when creating the data sources. As a result of this any other ODBC software installed on a client machine could be used to gain anonymous read/write/delete access to the entire finance and HR databases without needing to use a password. I offered to save the CFO some work by signing off my own invoices but he declined the offer. Once I bypassed the supplier's helpdesk and contacted their CTO directly the issue was quickly resolved. We reconfigured the client machines and the database servers to eliminate the "SA" login completely. RISKS readers might like to check their own systems to see whether any of the Data Sources on their client machines use the SA login. If they do then I suggest they have words with their suppliers and their DBAs (if they have them.) Short pithy words are best. ------------------------------ Date: Wed, 7 Jan 2015 03:33:01 -0500 From: Monty Solomon <monty () roscom com> Subject: Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm Michael Cieply and Brooks Barnes, *The New York Times*, 30 Dec 2014 It was three days before Thanksgiving, the beginning of a quiet week for Sony Pictures. But Michael Lynton, the studio's chief executive, was nonetheless driving his Volkswagen GTI toward Sony's lot at 6 a.m. Final planning for corporate meetings in Tokyo was on his agenda - at least until his cellphone rang. The studio's chief financial officer, David C. Hendler, was calling to tell his boss that Sony's computer system had been compromised in a hacking of unknown proportions. To prevent further damage, technicians were debating whether to take Sony Pictures entirely offline. Shortly after Mr. Lynton reached his office in the stately Thalberg building at Sony headquarters in Culver City, Calif., it became clear that the situation was much more dire. Some of the studio's 7,000 employees, arriving at work, turned on their computers to find macabre images of Mr. Lynton's severed head. Sony shut down all computer systems shortly thereafter, including those in overseas offices, leaving the company in the digital dark ages: no voice mail, no corporate email, no production systems. ... http://www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-grew-into-a-firestorm-.html ------------------------------ Date: Fri, 9 Jan 2015 01:52:41 -0500 From: Monty Solomon <monty () roscom com> Subject: World's first *known* bootkit for OS X can permanently backdoor Macs (Dan Goodin) Dan Goodin, Ars Technica, 7 Jan 2015 Thunderstrike allows anyone with even brief access to install stealthy malware. Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011. Once installed, the bootkit-that is, malware that replaces the firmware that is normally used to boot Macs-can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either. The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key. ... http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/ ------------------------------ Date: Sat, 10 Jan 2015 01:48:15 -0500 From: Monty Solomon <monty () roscom com> Subject: Spotlight search in OS X Yosemite exposes private user details to spammers Search feature overrides widely used setting blocking remote images. Dan Goodin, Ars Technica, 9 Jan 2015 Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets. The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images. ... http://arstechnica.com/security/2015/01/spotlight-search-in-yosemite-exposes-private-user-details-to-spammers/ ------------------------------ Date: Tue, 6 Jan 2015 09:43:46 -0500 From: Monty Solomon <monty () roscom com> Subject: Apps Everywhere, but No Unifying Link http://www.nytimes.com/2015/01/06/technology/tech-companies-look-to-break-down-walls-between-apps.html As people spend more time using apps, their Internet has taken a step backward, becoming more isolated -- more like the web before search engines. ------------------------------ Date: Mon, 05 Jan 2015 21:57:00 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL Traffic (Weinstein, RISKS-28.44) ArsTechnica reports that Gogo, an inflight Wi-Fi service has been proffering its own version of other domains certificates (the article refers specifically to YouTube). This allows Gogo to decrypt traffic intended to remain encrypted while in-transit. If used for all SSL connections, it would expose a wide variety of traffic to monitoring, capture, and subsequent impersonation (e.g., email, banking, corporate applications). It is not clear if this is being used on all SSL connection attempts, or only on certain connections. The justification offered is to enforce a Gogo ban on streaming applications. This report reemphasizes the need for users to be careful accepting a certificate not signed by a well-known signature authority (CA). The Ars Technica article is at: http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/ Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Fri, 09 Jan 2015 06:19:20 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: ASUS Routers reportedly vulnerable to local area network command execution exploit Apparently, ASUS routers have a weakness in the implementation of infosvr, which reportedly uses UDP to communicate between different routers. Designated CVE-2014-09583, this vulnerability allows a user inside the firewall zone to use a UDP request to inject a command for execution by the router (e.g., opening ports). The report includes a command which can be manually used to shut down the infosvr service each time the router is restarted. The Ars Technica article is at: http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-network-can-probably-hack-it/ Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Wed, 7 Jan 2015 14:42:36 +1100 From: Craig Burton <craig.alexander.burton () gmail com> Subject: Re: Subject: Too many pilots can't handle an emergency (RISKS-28.44) The most tragic element of the AF447 crash was that the stall warning system gave a warning up to a critical angle of attack, but actually went silent after that angle was exceeded on the assumption it could not be possible and the device should not report a false positive. This caused the pilots to keep the plane in a stall since when they tried to take it out of stall by reducing attack angle, the stall alarm sounded. I think there is the new risk that pilots need to be able to handle a system failing in a complex way such as this? Is it reasonable for them to learn and manage all edge cases in automation? ------------------------------ Date: Wed, 7 Jan 2015 16:14:57 -0500 From: david lewis <davidlewis () sympatico ca> Subject: Re: Lenovo recalls more than 500,000 power cords Both Leonard Finegold and Morton Welinder are wrong on the power dissipation in a laptop power supply cord, because the power supply is not a resistor, but a constant power sink, due to the regulator in it, which is designed to convert power at high efficiency, and supply a fixed power to the batter. So the current through the power supply is inverse of the voltage. But the power supply cord is a resistance, so the heat in it is square of current, or inverse square of the voltage in this case. Let's take a 55W power supply for simplicity, and a .1 ohm power supply cord resistance. At 110V it draws .5 A so the power supply cord dissipates .5 * .5 * .1 = .025W. At 220V it draws .25A so the power supply core dissipates .25 * .25 * .1 = .00625W or a factor of 4 less. [We received a slew of comments in response on this subject. I picked this one as representative. PGN] ------------------------------ Date: Wed, 7 Jan 2015 15:01:42 -0500 From: Dick Mills <dickandlibbymills () gmail com> Subject: LOL Re: Lenovo recalls more than 500,000 power cords Len Finegold said "As my freshman students know... Twinkle twinkle little star Power equals I squared R" 50 years ago when I was a freshman I memorized that jingle. But when I got into the exam, my brain regurgitated this: Little star up in the sky, power equals R squared I. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.45 ************************
Current thread:
- Risks Digest 28.45 RISKS List Owner (Jan 12)