RISKS Forum mailing list archives
Risks Digest 28.49
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 2 Feb 2015 15:59:58 PST
RISKS-LIST: Risks-Forum Digest Monday 2 February 2015 Volume 28 : Issue 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.49.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: BMW ConnectedDrive using http not https (William Brodie-Tyrrell) First Officer Lands Delta Jet As Captain Locked Out Of Cockpit (Gabe Goldberg) China Further Tightens Grip on the Internet (Andrew Jacobs) Sustained Investment in Research Is Needed to Combat Cyberthreats (Brian Mosley) Your Coding Style Can Give You Away (Phil Johnson) Anonymizing Identifiers are not anonymous (Bob Gezelter) "80% of Canadians will choose a business on its privacy reputation, survey says" (Howard Solomon via Gene Wirchenko) "'Ghost' vulnerability poses high risk to Linux distributions" (Jeremy Kirk via Gene Wirchenko) FTC Releases "Internet of Things: Privacy and Security in a Connected World" (Bob Gezelter) Breach of Ethics (John Bohannon via Henry Baker) "CRTC bans Bell, Videotron from giving their customers subsidies for watching their content on mobile devices" (Candice So via Gene Wirchenko) Man Lost Contact With White House Drone (Michael D. Shear via Henry Baker) Re: "Will your expensive new headphones soon be obsolete?" (Chris Drewe) Re: People upset that the E-911 folk want to use GLONASS (Richard A. O'Keefe) Re: Schneider ... contains hardcoded credentials (Gabe Goldberg) Re: plofkraak (Craig Burton) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 2 Feb 2015 10:55:19 +1030 From: William Brodie-Tyrrell <william.brodie.tyrrell () gmail com> Subject: BMW ConnectedDrive using http not https BMW installs GSM modems in its cars for remote control, but communicates with them in plain-text (Deutsche): http://www.heise.de/newsticker/meldung/BMW-ConnectedDrive-gehackt-2533601.html Machine translation: https://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FBMW-ConnectedDrive-gehackt-2533601.html The report doesn't state whether this was the vulnerability leading to interestingly high rates of BMW thefts recently, nor whether the patch that they applied addresses authentication properly, e.g. validates certificates. william () brodie-tyrrell org http://www.brodie-tyrrell.org/ ------------------------------ Date: Mon, 02 Feb 2015 13:18:46 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: First Officer Lands Delta Jet As Captain Locked Out Of Cockpit The risk? Massive/expensive/complex/reliable(?) technology defeated by ... a piece of string. http://www.avweb.com/avwebflash/news/First-Officer-Lands-Delta-Jet-as-Captain-Locked-Out-of-Cockpit223489-1.html ...like Martians in War of the Worlds defeated by ... Earthly bacteria: Wikipedia says... ...it is implied they are ignorant of disease <http://en.wikipedia.org/wiki/Disease> and decomposition. It is theorized that their advanced technology eliminated whatever indigenous diseases were present on Mars, and so they no longer remembered their effects. Ultimately, their lack of knowledge or preparation against any bacteria indigenous to Earth, causes their destruction here (though the epilogue states they may have successfully invaded Venus by what Wells described as `putrefactive bacteria', which digests organic materials upon death. Lessons from airplane, from Martians? Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 [Monty Solomon noted an article on this: http://www.boston.com/travel/2015/01/30/pilot-locked-out-cockpit-during-delta-flight/CV9B8NBqlrC5eRGZtiDsdP/story.html PGN] ------------------------------ Date: Fri, 30 Jan 2015 11:57:40 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: China Further Tightens Grip on the Internet (Andrew Jacobs) Andrew Jacobs, *The New York Times*, 30 Jan 2015, ACM TechNews; 30 Jan 2015 Chinese officials this week took action to block the functioning of several virtual private networks (VPNs) its citizens use to circumvent China's online censorship apparatus. Officials have long tolerated VPNs, which are used by a broad spectrum of Chinese citizens, ranging from business people to academics and scientists to artists. However, the Chinese government has been stepping up its online censorship activities in recent years as part of a push for what it calls "cyber sovereignty," which is the idea the government has the right to block online content it objects to. The cyber sovereignty campaign has seen the degradation or outright blocking of numerous services Chinese citizens use to communicate with the rest of the world. Chinese scientists and academics are particularly incensed about the difficulty they now face in getting access to Google Scholar. Many within and without China say the government's efforts to block Internet content are proving a major impediment to the government's stated goal of shifting the country's economy away from its reliance on manufacturing and construction to a more entrepreneurial model. The restrictions make it difficult for foreigners to do business and are causing many bright Chinese entrepreneurs to consider leaving the country. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-d4fbx2c5bdx0= 62061& ------------------------------ Date: Fri, 30 Jan 2015 11:57:40 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: Sustained Investment in Research Is Needed to Combat Cyberthreats (Brian Mosley) Brian Mosley, Sustained Investment in Research Is Needed to Combat Cyberthreats, CISE AD Tells Congress Computing Research Policy Blog, 29 Jan 2015, via ACM TechNews; 30 Jan 2015 In testimony before the U.S. House Science, Space, and Technology Committee's Research and Technology Subcommittee on Tuesday, Computer and Information Science and Engineering (CISE) assistant director Jim Kurose said sustained basic research investment is necessary for countering growing cyberthreats. He also stressed the need for behavioral researchers' participation in this effort, since effective solutions must be social-technical in nature. In addition, Kurose said there must be closer communication between federal agencies, especially the U.S. National Institute of Standards and Technology, and industry in order to get the most up-to-date information on ever-changing threats and best practices. Kurose's views were echoed by all of the witnesses at the hearing, which included both private- and public-sector experts. In response to subcommittee chairwoman Barbara Comstock's (R-VA) query on how Congress should engage with constituents on the cybersecurity issue, witnesses generally agreed everyday people must take a serious view of the threat and use all available security tools. "Utilizing targeted emails, spam, malware, bots, and other tools, cybercriminals, "hacktivists," and nation-states are attempting to access information technology systems all the time," Comstock noted at the hearing. "The defense of these systems relies on professionals who can react to threats and proactively prepare those systems for attack." http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-d4fbx2c5bfx062061& ------------------------------ Date: Fri, 30 Jan 2015 11:57:40 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: Your Coding Style Can Give You Away (Phil Johnson) Phil Johnson, ACM TechNews, 30 Jan 2015 CSI Computer Science: Your Coding Style Can Give You Away, Phil Johnson, *ITWorld.com*, 28 Jan 2015 Researchers at Drexel University, the University of Maryland, the University of Goettingen, and Princeton University have developed a code stylometry using natural language processing and machine learning to determine the authors of source code based on coding style. The researchers say the technology could be applicable to a wide range of situations in which ascertaining the originating coder is important, such as to help identify the author of malicious source code. The researchers say they developed abstract syntax trees derived from language-specific syntax and keywords, which capture a syntactic feature set that "was created to capture properties of coding style that are completely independent from writing style." They tested the code stylometry by gathering publicly available data from Google's Code Jam, taking solutions to several identical problems for a group of users as a training dataset in order to learn the style of each coder. The researchers then looked blindly at solutions the same coders wrote to another problem and tried to identify the author of each. The code stylometry achieved 95-percent accuracy in identifying the author of anonymous code. In addition, the researchers found coding style is more well-defined through solving harder problems. "This might indicate that as programmers become more advanced, they build a stronger coding style compared to newbies," according to the researchers. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-d4fbx2c5c2x0= 62061& ------------------------------ Date: Sat, 31 Jan 2015 07:07:38 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Anonymizing Identifiers are not anonymous For many years, I have argued that traffic analysis sets ample precedent to distrust anonymization schemes. It has been well-documented in the signals intelligence history that associating radio call signs with particular units is not overly difficult by combining observable locations with detection of particular call signs. In the "Computer Security Handbook, Third Edition" (1995, Wiley) and subsequent editions, I noted that such collation hazards were a serious privacy hazard. MIT researchers de Montjoye, Radaeliti, Singh, and Pentland have recently reconfirmed this hypothesis. In research recently published in Science, they have illustrated the weakness of commonly used anonymization schemes. Working from credit card transactional data, they were able to identify individual activity without difficulty.
From the abstract: "... We study 3 months of credit card records for 1.1
million people and show that four spatiotemporal points are enough to uniquely re-identify 90% of individuals. We show that knowing the price of a transaction increases the risk of re-identification by 22%, on average. Finally, we show that even data sets that provide coarse information at any or all of the dimensions provide little anonymity and that women are more re-identifiable than men in credit card metadata." The implications of this go far beyond credit card transactional data. The complete Science article is at: www.sciencemag.org/content/347/6221/536.full.pdf Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Fri, 30 Jan 2015 11:21:25 -0800 From: Gene Wirchenko <genew () telus net> Subject: "80% of Canadians will choose a business on its privacy reputation, survey says" (Howard Solomon) Howard Solomon, *IT Business*, 29 Jan 2015 http://www.itbusiness.ca/news/80-per-cent-of-canadians-will-choose-a-business-on-its-privacy-reputation-survey-says/53526 ------------------------------ Date: Fri, 30 Jan 2015 11:05:32 -0800 From: Gene Wirchenko <genew () telus net> Subject: "'Ghost' vulnerability poses high risk to Linux distributions" (Jeremy Kirk) Jeremy Kirk, *Infoworld*, 30 Jan 2015 A flaw in the GNU C Library can be exploited remotely for full control and should be patched as soon as possible, according to Qualys. A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email. http://www.infoworld.com/article/2876105/security/ghost-vulnerability-poses-high-risk-to-linux-distributions.html ------------------------------ Date: Fri, 30 Jan 2015 10:21:26 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: FTC Releases "Internet of Things: Privacy and Security in a Connected World" The US Federal Trade Commission staff has issued "Internet of Things: Privacy and Security in a Connected World", a report from a workshop on the security and privacy issues of Internet-enabled devices and sensors. The FTC Report is at: http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Fri, 30 Jan 2015 12:47:37 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Breach of Ethics (John Bohannon) John Bohannon, *Science Magazine* FYI -- Some NSA employees are already in violation of both the ACM and IEEE codes of ethics, and to the extent that NSA helps with the CIA assassination drone program, some NSA employees may also be involved in war crimes. If these professional organizations' codes of ethics are to have any meaning, whatsoever, it is now time for the ethics committees of these professional organizations to stand up and be counted. As a result of the Nuremberg Trials, "it is not an acceptable excuse to say 'I was just following my superior's orders'". [HB] https://en.wikipedia.org/wiki/Nuremberg_principles http://www.sciencemag.org/content/347/6221/495.full.pdf Breach Of Trust After the Snowden revelations, U.S. mathematicians are questioning their long-standing ties with the secretive National Security Agency John Bohannon IN THE WAKE of the Snowden revelations, most of the media attention has focused on NSA's large-scale harvesting of data from U.S. citizens. But it is a more obscure exploit that concerns Hales and many other mathematicians: what they see as an attack on the very heart of modern Internet security. When you check your bank account online, for example, the information is encrypted using a series of large numbers generated by both the bank server and your own computer. Generating random numbers that are truly unpredictable requires physical tricks, such as measurements from a quantum experiment. Instead, the computers use mathematical algorithms to generate pseudorandom numbers. Although such numbers are not fundamentally unpredictable, guessing them can require more than the world's entire computing power. As long as those pseudorandom numbers are kept secret, the encoded information can safely travel across the Internet, protected from eavesdroppers -- including NSA. But the agency appears to have created its own back door into encrypted communications. ... But it received little attention until internal NSA memos made public by Snowden revealed that NSA was the sole author of the flawed algorithm and that the agency worked hard behind the scenes to make sure it was adopted by NIST. ------------------------------ Date: Fri, 30 Jan 2015 11:18:43 -0800 From: Gene Wirchenko <genew () telus net> Subject: "CRTC bans Bell, Videotron from giving their customers subsidies for watching their content on mobile devices" (Candice So) Candice So, *IT Business*, 29 Jan 2015T The Canadian Radio-television Communications Commission (CRTC) has ruled it's no longer going to allow cellphone service providers to give special treatment to their own TV content when consumers stream it from wireless devices. http://www.itbusiness.ca/article/crtc-bans-bell-videotron-from-giving-their-customers-subsidies-for-watching-their-content-on-mobile-devices ------------------------------ Date: Fri, 30 Jan 2015 06:44:55 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Man Lost Contact With White House Drone (Michael D. Shear) FYI -- "Lost contact with drone" will become the new excuse for U.S. errant drone kills in the Middle East... [Was this stunt calculated to create controversy so that consumer drones will get regulated? If this fall guy were to spend a year in prison, it would at least raise the cost for future false flag operations like this one. (HB, slightly PGN-ed)] Michael D. Shear, *The New York Times*, 29 Jan 2015 http://www.nytimes.com/2015/01/30/us/man-lost-contact-with-drone-before-it-sped-to-white-house-friend-says.html ------------------------------ Date: Thu, 29 Jan 2015 22:15:49 +0000 From: "Chris Drewe" <e767pmk () yahoo co uk> Subject: Re: "Will your expensive new headphones soon be obsolete?" http://www.telegraph.co.uk/technology/apple/11369711/Why-your-expensive-headphones-will-be-obsolete.html Matthew Sparkes, Deputy Head of Technology, *The Telegraph*, 27 Jan 2015 http://www.telegraph.co.uk/journalists/matthew-sparkes/> Will your expensive new headphones soon be obsolete? switchboards, so it should be no surprise that mobile phones will soon drop it. But many will be left holding expensive and obsolete headphones, says Matthew Sparkes An item in yesterday's newspaper (27 Jan 2015) about headphone connections for smartphones, tablets, etc. In summary, it says that the 3.5mm jack plug has been standard since the days of cassette Walkmans, but it is likely to be soon replaced by proprietary connectors. Good news is that power and digital audio can be fed directly to the headphones, potentially giving better sound quality, while eliminating the (relatively) bulky 3.5mm socket means yet-thinner smartphones. Bad news is if headphones have brand-specific connectors and software so upgrading your smartphone/tablet means changing your headphones as well (or vice-versa). Personally I've also long found model-specific accessories (e.g. batteries, AC mains adapters) to be an irritation with other equipment. [...] ------------------------------ Date: Fri, 30 Jan 2015 20:10:42 +1300 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Re: People upset that the E-911 folk want to use GLONASS (RISKS 28.47) In RISKS-28.47, Danny Burstein raised his eyebrows at the idea of "rely[ing] on a system under the complete control of another nation". From the World CIA Fact Book, World population: 7,174,611,584 (how do they measure so precisely???) US population: 318,89_,___ (given to two places in millions) Russian population: 142,47_,___ This means that 93.5%+ of the world's population has no choice but to rely on a foreign-controlled global navigation system. ------------------------------ Date: Fri, 30 Jan 2015 17:04:44 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: Schneider ... contains hardcoded credentials (Baker) Long ago, I was asked for advice penetrating IBM's VM mainframe operating system. (Don't confuse this with today's VMware.) This was a contract evaluating security at a government installation running multiple classification levels simultaneously; the data center manager claimed that VM's (very robust) virtualization reliably isolated work areas. I suggested that before trying anything technical, the pen-test staffer check for egregious screwups, for example by starting at a public file area ("minidisk"), scanning all programs found for links to other minidisks, scanning them and so on, to see what baubles might be found. A couple days later he dropped a printout of the system directory on the manager's desk. Either default link passwords for crown jewels were still in place or someone had expediently coded real passwords in publicly available programs -- so anyone on the system could access everything on the system. Either way, another demonstration that "simple" often cracks the safe. Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Fri, 30 Jan 2015 16:45:05 +1100 From: Craig Burton <craig.alexander.burton () gmail com> Subject: Re: plofkraak (RISKS-28.48) Regarding the plofkraak, I suspect the below is this occurring in Australia http://www.abc.net.au/news/2014-12-30/winnellie-atm-robbery-man-knocked-backwards-by-explosion/5992498 ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.49 ************************
Current thread:
- Risks Digest 28.49 RISKS List Owner (Feb 02)