RISKS Forum mailing list archives
Risks Digest 28.71
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 20 Jun 2015 1:51:24 PDT
RISKS-LIST: Risks-Forum Digest Saturday 20 June 2015 Volume 28 : Issue 71 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.71.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Major League Baseball cancels 60 million all-star votes (PGN) L.A. plans potentially disastrous switch to "electronic" voting (Ars) No ticket with a long name (Debora Weber-Wulff) UN: Encryption a Fundamental Right (Eric Burger) Samsung Keyboard Security Risk - 600M+ devices affected (NowSecure) Payments to RBS customers missing (Richard I Cook) Shooting over cellphone: case is 'extreme', say police (CBC News) Heinz says sorry for ketchup QR code that links to porn site (Appy-geek) Zero-day exploit lets App Store malware steal OS X and iOS passwords (Glenn Fleishman) Don't pay your bills all at once (paul wallich) Officials say security lapses left OMB system open to hackers (PGN) Re: Report: Russia, China Crack Snowden Docs (William Brodie-Tyrrell) Liars trust cheaters, Re: sex, lies, debt exposed by OPM (Mark E. Smith) OPM: Gone Phishing: Shoot the Wounded (Lisa Rein via Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 20 Jun 2015 02:27:50 -0400 From: Peter G Neumann Subject: Major League Baseball cancels 60 million all-star votes We've long been suggesting in RISKS that Internet Voting was an inherently BAD IDEA. Now the folks who run the the so-called American Pastime at the top professional level may have decided that Internet Voting is really the American PastTime, although many of us think it is not past time -- it is NOT READY for prime time, and perhaps never will be, for elections of any real importance. http://bleacherreport.com/articles/2500903-mlb-cancels-more-than-60-million-all-star-votes-for-fear-of-improper-voting By the way, apologies for letting "Armenia loses Internet access" slip through in the previous issue. That item from 2011 was really past time. ------------------------------ Date: Sat, 13 Jun 2015 08:33:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: L.A. plans potentially disastrous switch to "electronic" voting L.A. plans potentially disastrous switch to "electronic" voting Ars Technica http://arstechnica.com/tech-policy/2015/06/los-angeles-county-moves-to-open-source-voting-technology/ The county is also considering a number of customizable options to bolster voter turnout, which has suffered in recent years. Along with the new system, it plans to introduce a "poll pass," which allows users to pre-mark their votes using their phone, tablet, or desktop and scan them with a QR code at their polling place. Logan said the new system is designed to let users vote anywhere in the county, rather than at a designated polling station. He hopes to broaden the 7:00am to 8:00pm voting window to a multi-day "voting period," during which a limited number of stations would be open prior to the election. There's even talk of an electronic equivalent to absentee voting--if and when the law permits. Open source is not a panacea. So much here and planned that could go so very wrong. They never learn. Note the part about "electronic" absentee voting. Given how large the absentee voter population is in L.A., this almost certainly means the disaster of Internet voting. ------------------------------ Date: Fri, 19 Jun 2015 17:22:53 +0200 From: Prof. Dr. Debora Weber-Wulff <weberwu () htw-berlin de> Subject: No ticket with a long name The Swiss newspaper "20 Minuten" (20 minutes) reports that a Swiss woman of Portuguese descent tried to purchase airline tickets online with the portal Edreams.ch. She was informed a few days later that the tickets were rejected by the airline Swiss because her name of 32 characters was too long - Swiss only accept 28. http://www.20min.ch/schweiz/romandie/story/Name-zu-lang---Flugticket-storniert-20762253 Portuguese and Spanish names are quite long, as there is one from the mother's side and one from the father's side traditionally. Swiss pointed out that it was edreams fault - they should have asked the customer how she wanted to abbreviate her name. In the meantime, she was able to buy tickets from another airline with no length restriction on names -- but at a higher price. HTW Berlin, Studiengang IMI,Treskowallee 8, 10313 Berlin +49-30-5019-2320 weberwu () htw-berlin de http://www.f4.htw-berlin.de/people/weberwu/ ------------------------------ Date: Jun 16, 2015 3:15 PM From: "Eric Burger" <eburger () standardstrack com> Subject: UN: Encryption a Fundamental Right [via Dave Farbert] On Wednesday, Special Rapporteur on freedom of opinion and expression David Kaye will present his report on international legal protection for encryption and anonymity to the United Nations Human Rights Council. The report is an important contribution to the security conversation at a time when some Western leaders are calling for ill-informed and impossible loopholes in technology--a trend that facilitates surveillance and tends to enable states that openly seek to repress journalists. http://cpj.org/blog/2015/06/un-report-promotes-encryption-as-fundamental-and-p.php http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-getting-wrong-about-encryption/ http://www.theguardian.com/commentisfree/2015/jan/13/cameron-ban-encryption-digital-britain-online-shopping-banking-messaging-terror http://cpj.org/blog/2015/01/classifying-media-and-encryption-as-a-threat-is-da.php http://cpj.org/blog/2015/04/when-it-comes-to-great-firewall-attacks-https-is-g.php http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx ------------------------------ Date: Tue, 16 Jun 2015 18:55:50 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Samsung Keyboard Security Risk - 600M+ devices affected NowSecure via NNSquad https://www.nowsecure.com/keyboard-vulnerability/ Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user ... While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally. ------------------------------ Date: Wed, 17 Jun 2015 14:44:01 +0200 From: Richard I Cook MD <ricookmd () gmail com> Subject: Payments to RBS customers missing About 600,000 payments expected by customers of the RBS group of banks have failed to enter accounts overnight, the bank has admitted. Payments including tax credits and disability living allowance are among the payments that have failed to be credited to accounts. [...] it had now identified and fixed the underlying problem. However, it is an embarrassment for the group which was fined 56M pounds by regulators after a 2012 software issue left millions of customers unable to access accounts. RBS, NatWest, and Ulster Bank customers were affected in June 2012 after problems with a software upgrade. RBS said had invested hundreds of millions of pounds to improve its computer systems since then. http://www.bbc.com/news/business-33162855 = ------------------------------ Date: Tue, 16 Jun 2015 23:27:33 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Shooting over cellphone: case is 'extreme', say police (CBC News) The shooting death of an 18-year-old man trying to retrieve his lost smartphone highlights the risks of using mobile-tracking app, say police. Jeremy Cook, a native of Brampton, Ont., was gunned down at about 5:15 a.m. ET on Sunday. London police found his body at the rear of a strip mall near Huron Street and Highbury Avenue in the city's north end. He had multiple gunshot wounds. Cook had left his smartphone in a taxi and traced it electronically to an address on Highbury Avenue. When he and a relative went to the address, he was confronted by three men in a car, Steeves told CBC News. http://www.cbc.ca/news/canada/toronto/shooting-over-cellphone-case-is-extreme-say-police-1.3115069 ------------------------------ Date: Fri, 19 Jun 2015 08:20:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Heinz says sorry for ketchup QR code that links to porn site Appy-geek via NNSquad http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleid=43584144&source=3Dgoogleplus The QR code linked to a URL used for the "Spread the word with Heinz" competition between 2012 and 2014. Heinz allowed the domain name "sagsmithheinz.de" to lapse after the competition closed, which was subsequently purchased by a purveyor of German adult entertainment. The right way to have done this, of course, would have been to have the QR code point at some URL within the permanent Heinz domain and redirect to the promotion site. Then when the promotion ends you could change the redirect to something still sensible. But hey, that takes forethought. ------------------------------ Date: Thu, 18 Jun 2015 12:16:35 -0700 From: Gene Wirchenko <genew () telus net> Subject: Zero-day exploit lets App Store malware steal OS X and iOS passwords (Glenn Fleishman) Glenn Fleishman, Macworld, 18 Jun 2015 Researchers discover an exploit that lets OS X and iOS malware in the App Store steal passwords and app data, as well as hijack session tokens http://www.infoworld.com/article/2937241/security/zero-day-exploit-lets-app-store-malware-steal-os-x-and-ios-passwords.html ------------------------------ Date: Thu, 18 Jun 2015 11:47:35 -0400 From: paul wallich <pw () panix com> Subject: Don't pay your bills all at once Early this morning my spouse texted me from the airport to let me know that our credit card had been declined just as she was leaving for a trip. Turns out there was "suspicious activity" on the card last night, and the fraud-control folks had put a hold on it. The suspicious transactions: one small purchase from an online retailer we use often, and three $100-plus payments over the course of 30 minutes to what turned out to be the local cable company, electric company and a mobile phone provider. In other words, my spouse had been financially diligent and made sure all our current bills were paid before leaving town. This is by no means intended to ridicule the credit-card company and its fraud-detection algorithms. The transactions (except, perhaps for the payees) do fit the common fraud pattern of one small test purchase and then a bunch of big-ticket ones. And it took less than 10 minutes on the phone to clear the problem up. But. It did make me think about how vulnerable our current payment infrastructure is, and about the reversal of roles that has occurred. Compromised accounts have become so common that, instead of fraudsters trying to avoid detection, it's the job of legitimate customers to figure out how not to be mistaken for crooks. ------------------------------ Date: Wed, 17 Jun 2015 9:16:51 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Officials say security lapses left OMB system open to hackers http://bigstory.ap.org/article/d81b464390c34ab293e0abb3cccd4fcc/officials-say-security-lapses-left-system-open-hackers [The information was indeed very sensitive. WHY was it on the Web? PGN] ------------------------------ Date: Wed, 17 Jun 2015 09:19:15 +0930 From: William Brodie-Tyrrell <william () brodie-tyrrell org> Subject: Re: Report: Russia, China Crack Snowden Docs (RISKS-28.70) There is also significant risk in "journalists" publishing the uncorroborated assertions of anonymous government officials who have a direct interest in smearing people: https://firstlook.org/theintercept/2015/06/14/sunday-times-report-snowden-files-journalism-worst-also-filled-falsehoods/ ------------------------------ Date: Wed, 17 Jun 2015 09:03:54 +0800 From: "Mark E. Smith" <mymark () gmail com> Subject: Liars trust cheaters Re: Sex, lies and debt potentially exposed by OPM data hack Had the retired officer disclosed to the government that he'd been cheating on his taxes rather than cheating on his wife for twenty years (but later paid up), would he have still gotten his security clearance? ------------------------------ Date: Thu, 18 Jun 2015 14:21:26 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: OPM: Gone Phishing: Shoot the Wounded FYI -- OPM sent 750k e-mails to notify Fed employees & asked that *they click on a link* to sign up for credit monitoring and other protections. Isn't that how we got here in the first place? [Of course, whoever stole the OPM data just did a facepalm and is now thinking: "why didn't I think of that?"] Lisa Rein, *WashPost*, 18 June 2015 Reacting to Chinese hack, the government may not have followed its own cybersecurity rules http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/reacting-to-chinese-hack-the-government-may-not-have-followed-its-own-cybersecurity-rules/ In responding to China's massive hack of federal personnel data, the government may have run afoul of computer security again. Over the last nine days, the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor's Web site to sign up for credit monitoring and other protections. But those e-mails have been met with increasing alarm by employees -- along with retirees and former employees with personal data at risk -- who worry that the communications may be a form of spear phishing used by adversaries to penetrate sensitive government computer systems. After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week. ``We've seen such distrust and concerns about phishing,'' OPM spokesman Sam Schumach acknowledged, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen. Computer experts said the personnel agency -- already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers -- could be putting federal systems in jeopardy again by asking employees to click on links in the e-mails. ``There's a risk that you desensitize people by telling them that occasionally, there's going to be a very important email you have to click on,'' said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. He called OPM's first round of e-mail transmissions the equivalent of ``sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection e-mails and get into your computers all over again.'' That's precisely what worried top Defense officials before the chief information officer of the government's largest agency told OPM last week to suspend the notifications because they disregarded basic cybersecurity training that's crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or e-mail addresses because they expose employees to spear phishing attacks. Defense offices across the country posted a bulletin in their internal communication networks from CIO Terry Halvorsen that said OPM was ``suspending notification to DoD personnel that their [Personal Identifying Information] may have been breached until an improved, more secure notification and response process can be put in place.'' [...] ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.71 ************************
Current thread:
- Risks Digest 28.71 RISKS List Owner (Jun 20)