RISKS Forum mailing list archives
Risks Digest 28.60
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 27 Apr 2015 15:41:29 PDT
RISKS-LIST: Risks-Forum Digest Monday 27 Apr 2015 Volume 28 : Issue 60 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.60.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Obama's unclassified e-mail hacked by Russians (NYTimes via PGN) Computer Attacks Spur Congress to Act on Cybersecurity Bill Years in the Making (NYTimes via Monty Solomon) How computerized trading in the hands of a nobody in Britain allegedly crashed the stock market (WashPost via Gene Spafford) Next-Gen Navigation - CEA (Gabe Goldberg) Civilization near collapse; all Starbucks stores close due to point-of-sale failure (Jeremy Epstein) Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica via Lauren Weinstein) "HTTPS snooping flaw affected 1,000 iOS apps with millions of users" (Lucian Constantin via Gene Wirchenko) "Apple's OS X 'Rootpipe' patch flops, fails to fix flaw" (Gregg Keizer Gene Wirchenko) Shamir Reveals Sisyphus Algorithm (John Young) 'Flash Crash' 101: How could one guy do that? (CNBC via Monty Solomon) All times are in UTC, any included timezone is ignored (Dan Jacobson) Court: Iowa casino doesn't have to pay $41M jackpot error (StLToday) Security scholarship awardees announced (Jeremy Epstein) Re: "Bob Wachter on Technology and Hospitals at Medium" (Gene Wirchenko) Re: Kali Linux security is a joke! (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 27 Apr 2015 10:34:55 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Obama's unclassified e-mail hacked by Russians Here's another item on the general theme of the pervasiveness of security vulnerabilities. http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html ------------------------------ Date: Wed, 22 Apr 2015 11:48:02 -0400 From: Monty Solomon <monty () roscom com> Subject: Computer Attacks Spur Congress to Act on Cybersecurity Bill Years in the Making http://www.nytimes.com/2015/04/23/us/politics/computer-attacks-spur-congress-to-act-on-cybersecurity-bill-years-in-making.html The House is expected to pass a bill pushing companies to share data with federal investigators in the wake of breaches at Sony, Target and the health insurer Anthem. [So, these companies -- and the Congress -- might eventually realize that every computer system connected to the Internet is inherently vulnerable, as well as all the systems not even connected? And that ubiquitous abilities for surveillance can only make it worse? PGN] ------------------------------ Date: Wed, 22 Apr 2015 08:57:31 -0700 From: Gene Spafford <spaf () cerias purdue edu> Subject: How computerized trading in the hands of a nobody in Britain allegedly crashed the stock market *The Washington Post*, 22 Apr 2015 http://www.washingtonpost.com/news/morning-mix/wp/2015/04/22/how-computerized-trading-in-the-hands-of-a-nobody-in-britain-allegedly-crashed-the-stock-market/ = ------------------------------ Date: Sat, 25 Apr 2015 22:11:07 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Next-Gen Navigation - CEA It's a common refrain among car buyers: ``Why do I need a built-in navigation system when I can use the maps app on my smartphone?'' Now automakers are answering, turning factory-installed navigation systems and the maps that support them into crucial components of new advanced driver assistance systems (ADAS) and safety systems. No longer just a convenience item, in-dash navigation systems are evolving both technologically and strategically and someday will help drive not just autonomous vehicles, but new business models, as well. ... (15-years out concept car): Pedestrians can't see inside the vehicle to give passengers privacy. Passengers in the F 015 can see only partly out the side windows, so giant 4K resolution displays in the door panels and a car width 5K display in the dashboard show representations of the vehicle's surroundings as they're detected by the vehicle's various sensors and cameras. A `Guided Path' menu item accesses the navigation system's point-of-interest (POI) database to show places the car will pass along its route -- in a timeline fashion, with photorealistic imagery -- giving passengers the opportunity to program a stop. Certain POIs also are linked to 360-degree photos, letting passengers get acquainted with destinations before they arrive. There are no buttons in the cars. For controls and menu selections, all the side displays are touch-sensitive and have proximity sensors. http://www.ce.org/i3/Features/2015/March-April/Next-Gen-Navigation What could... Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Sat, 25 Apr 2015 20:28:56 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Civilization near collapse; all Starbucks stores close due to point of sale failure Starbucks says an outage that affected all of their point of sale terminals was "caused by an internal failure during a daily system refresh and was not the result of an external breach". I find that a strange explanation, since the failure hit mid-day in the US, and I would think that a "daily system refresh" would be during the overnight hours. (During the outage, some locations gave away free drinks, some went cash-only, and other closed. No riots reported by caffeine addicts.) I don't know anything about running global IT infrastructures, so perhaps I'm naive, but I would think that rollouts would be done in a rolling fashion to avoid shutting down the entire company. I'm sure there any many cases like this, but I remember one that affected me, when the local cable TV provider (Cox) did a push update of every cable modem in the county, and in the process bricked 10s of thousands of units before they were realized the problem. It surprised me then that there weren't fail-safe mechanisms in place - i.e., making sure that units "phoned home" after an upgrade, and automatically stopping the rollout if any more than epsilon fail the phone home. https://news.starbucks.com/news/starbucks-point-of-sale-register-outage-resolved ------------------------------ Date: Wed, 22 Apr 2015 14:34:58 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Wi-Fi software security bug could leave Android, Windows, Linux open to attack Ars Technica via NNSquad http://arstechnica.com/security/2015/04/wi-fi-software-security-bug-could-leave-android-windows-linux-open-to-attack/ "The end result is that an attacker could corrupt information in memory, causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could essentially be used as a denial-of-service attack on affected devices simply by sending out responses to Wi-Fi probe requests or P2P network Public Action messages. But it could also expose memory contents during the three-way handshake of a peer-to-peer network negotiation (the GO negotiation) or potentially allow for the attacker to execute code on the target. A patch for the bug has been posted, and, based on Google's involvement, it will likely be part of an Android security update shortly. However, the distribution of that fix will depend on Android handset manufacturers and carriers to reach end users." And we can assume that owners of many older Android devices won't be getting a fix from carriers or Google. ------------------------------ Date: Thu, 23 Apr 2015 10:01:31 -0700 From: Gene Wirchenko <genew () telus net> Subject: "HTTPS snooping flaw affected 1,000 iOS apps with millions of users" (Lucian Constantin) Lucian Constantin, InfoWorld, 21 Apr 2015 Flaw in the third-party library AFNetworking broke HTTPS certificate validation, enabling man-in-the-middle attacks http://www.infoworld.com/article/2912440/security/https-snooping-flaw-affected-1000-ios-apps-with-millions-of-users.html Apps used by millions of iPhone and iPad owners became vulnerable to snooping when a flaw was introduced into third-party code they used to establish HTTPS connections. [...] ------------------------------ Date: Thu, 23 Apr 2015 10:10:41 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Apple's OS X 'Rootpipe' patch flops, fails to fix flaw" (Gregg Keizer) Gregg Keizer, Computerworld, 21 Apr 2015 Researcher finds 'trivial way' to exploit privilege escalation vulnerability after Apple tries to plug Yosemite hole http://www.infoworld.com/article/2912620/operating-systems/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html ------------------------------ Date: April 22, 2015 at 12:24:20 PM EDT From: John Young <jya () pipeline com> Subject: Shamir Reveals Sisyphus Algorithm [An item on many cryptography lists, via Dave Farber, on Adi Shamir at the RSA Conference last week.] Fully secure systems don't exist now and won't exist in the future. Cryptography won't be broken, it will be bypassed. Futility of trying to eliminate every single vulnerability in a given piece of software. https://threatpost.com/fully-secure-systems-dont-exist/112380#sthash.sKPz03sv.dpuf ------------------------------ Date: Sat, 25 Apr 2015 11:08:06 -0400 From: Monty Solomon <monty () roscom com> Subject: 'Flash Crash' 101: How could one guy do that? Trader Charged in 'Flash Crash' Case to Fight Extradition to U.S. The trader, Navinder Singh Sarao, is facing criminal fraud charges, including claims that he helped set off a stock market crash in the United States. http://www.nytimes.com/2015/04/23/business/dealbook/trader-charged-in-flash-= crash-case-to-fight-extradition-to-us.html How did that UK trader allegedly cause the "flash crash?" Ex-trader Raj Malhotra breaks it down. http://www.cnbc.com/id/102610451 ------------------------------ Date: Sat, 25 Apr 2015 12:38:12 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: All times are in UTC, any included timezone is ignored In http://www.mediawiki.org/w/api.php?action=help&modules=main#main.datatypes we read "All times are in UTC, any included timezone is ignored." I say non-UTC timezones should instead raise errors! Why? Because one day, when you finally do implement parsing timezones, the system will be upwardly compatible. Each day you let users enter timezones that are ignored, one day when you finally do parse them correctly, you'll have all the more users scratching their heads as to why are results suddenly different. (Sure you can blame the users for not reading the instructions. But it is more likely they have already added a skew to correct for what turns out to be an ignored time zone.) OK I filed https://phabricator.wikimedia.org/T97214 ------------------------------ Date: Fri, 24 Apr 2015 21:14:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Court: Iowa casino doesn't have to pay $41M jackpot error http://m.stltoday.com/news/state-and-regional/illinois/court-iowa-casino-doesn-t-have-to-pay-m-jackpot/article_e0299503-e7e7-5003-a918-df7ae3b78bc4.html?mobile_touch=true ------------------------------ Date: Thu, 23 Apr 2015 15:27:17 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Security scholarship awardees announced We talk on this list about the many risks to security and privacy of technology. And it's almost always a pretty bleak picture. But today, I'd like to mention a sunnier side - getting more women involved in the field. Four years ago, ACSA founded the Scholarships for Women Studying Information Security program (www.swsis.org). A year ago, HP made a generous contribution to allow us to grow the program. (Contributions from others are welcome - please contact me!) I'm proud to announce the 16 SWSIS Scholars for 2016-16, each of whom has received a scholarship to further their undergraduate or masters' degree. The HP press release can be found at http://money.cnn.com/news/newsfeeds/articles/marketwire/1188849.htm Photos and bios of most of the awardees can be found at https://swsis.wordpress.com/2015-16-awardees/ The 2015-16 SWSIS Scholars are: Evelyn Brown, Embry Riddle Aeronautical University, Prescott Priya Chawla, University of Cincinnati Shelby Cunningham, Carnegie Mellon University Alejandra Diaz, University of Maryland Baltimore County Fumi Honda, Stony Brook University Ashley Huffman, Northern Kentucky University Cindy Jong, DePaul University Madison Oliver, Pennsylvania State University Mary Sharp, Marshall University Imani Sherman, Kentucky State University Angela Sun, Michigan State University Kebra Thompson, University of Washington, Tacoma Stefanye Walkes, California State University, Dominguez Hills Gena Welk, University of Colorado at Boulder Leah Xu, University of Maryland at College Park Brooke Young, University of Maryland Baltimore County Thanks in particular to Rebecca Wright from Rutgers University and CRA-W, and her team, who sifted through the applications to select the winners. Jeremy Epstein, Founder, Scholarship for Women Studying Information Security Applied Computer Security Associates, Inc. ------------------------------ Date: Thu, 23 Apr 2015 23:18:06 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Bob Wachter on Technology and Hospitals at Medium" (Re: Mundkur, RISKS-28.59)
A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer Age", that would be appreciated by the RISKS audience, collected here: https://medium.com/@Bob_Wachter
I think that Mundkur grossly understated the value of this article series. I have been reading RISKS for many years, and no other information that I have read in connection with risks has hit anywhere nearly as hard as this article series did. The series is very clear and full of detail so it is easy to see how the horrific chain of events that is the main story came to happen. If you have not already read this series, please do so. [Gene's `grossly understated' seems *grossly overstated*, considering Prashanth did a wonderful thing by mentioning that this series of articles would be appreciated by RISKS readers. As a result, I for one really appreciate Bob's efforts, and echo Gene's comments on the significance of Bob Wachter's work. Incidentally, a `Wachter' is a watcher (auf deutsch), and that translation of Bob's name would indeed be a gross understatement of Bob's role in this five-part series. It really deserves careful scrutiny. PGN] ------------------------------ Date: Wed, 01 Apr 2015 06:11:13 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Kali Linux security is a joke! (Jackson, RISKS-28.59) This issue has been discussed at length on the crypto email list, and here are the conclusions, as I see them: * md5 itself is broken; there are better hashes around, so the recommendation of md5 on the Kali web page is indeed a joke (although not quite the same joke I originally had in mind). * https/TLS does not solve all SW distribution problems, but using it in conjunction with various signature mechanisms does make an attacker have to work harder and actively; http makes passive observation way too easy. Once an attacker knows exactly what SW you have, you are much easier to attack. * http makes a MITM/DOS attack trivial; you may never get a bad piece of SW, but you may also never get any SW update at all. Regarding "what would Henry Baker do" when designing a SW update mechanism: I'm not completely sure. The threat model for SW distribution today includes nation-states with "acres of Crays", with no regulatory, budget or location constraints, and with the entire Internet as a "free fire zone"; this threat model may not have been anticipated by many of the SW distribution systems in existence today. SW distribution has been successfully attacked before (Stuxnet), and will continue to be attacked, because it is a Willie Sutton target -- "that's where the money is". http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ "You must reboot your computer now to finish installing the latest security updates. NSA/GCHQ/... thanks you for your support in their war of^Hn terror." ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.60 ************************
Current thread:
- Risks Digest 28.60 RISKS List Owner (Apr 27)