RISKS Forum mailing list archives
Risks Digest 28.64
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 16 May 2015 12:07:32 PDT
RISKS-LIST: Risks-Forum Digest Saturday 16 May 2015 Volume 28 : Issue 64 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.64.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Amtrak Says It Was Just Months Away From Installing Safety System (NYTimes) Self-driving cars are getting into accidents in California (LATimes) Worker fired for disabling GPS app that tracked her 24 hours a day (David Kravets via Jim Reisert) Banned Researcher Commandeered a Plane (Kim Zetter) United launches bug bounty (but in-flight systems off limits) (Jeremy Kirk) A Phantom Offer Sends Avon's Shares Surging (NYTimes) The big drug database in the sky: One firefighter's year-long legal nightmare (Gabe Goldberg) "Rombertik malware destroys computers if detected" (Jeremy Kirk) Extremely serious virtual machine bug threatens cloud providers everywhere (Ars Technica) "Google Confirms Cops Can Wiretap Your Hangouts" (Vice.com) Cybersecurity company accused of extortion (Henry Baker) Former federal employee busted for attempted cyber-attack to sell nuclear secrets (Gabe Goldberg) Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked (Krebs via Lauren Weinstein) Team cracks Nvidia GPUs with malware for Windows and OS X (Digital Trends) Penn State severs engineering network after "incredibly serious" intrusion (Ars Technica) Anonymous accused of running a botnet using thousands of hacked home routers (Daily Dot) Witness Accounts in Midtown Hammer Attack Show the Power of False Memory (NYTimes) Trains re: All cars must have tracking devices (David Damerell) Re: Computer Scientists Use Twitter to Predict UK General Election Result (Gene Wirchenko) Re: Dealing with rogue drones, Copping a 'copter (Dick Mills) Re: Authentication vs Identification ... (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 14 May 2015 21:24:14 -0400 From: Monty Solomon <monty () roscom com> Subject: Amtrak Says It Was Just Months Away From Installing Safety System http://www.nytimes.com/2015/05/15/us/amtrak-says-it-was-just-months-away-from-installing-safety-system.html The railroad said technical and regulatory roadblocks had delayed operation of the system, which might have prevented this week's train derailment. ------------------------------ Date: Tue, 12 May 2015 08:55:59 -0400 From: Monty Solomon <monty () roscom com> Subject: Self-driving cars are getting into accidents in California http://www.latimes.com/business/la-fi-self-driving-accidents-20150512-story.html ------------------------------ Date: Mon, 11 May 2015 19:02:15 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Worker fired for disabling GPS app that tracked her 24 hours a day (David Kravets) "This intrusion would be highly offensive to a reasonable person." David Kravets, Ars Technica, 11 May 2015 http://arstechnica.com/tech-policy/2015/05/worker-fired-for-disabling-gps-app-that-tracked-her-24-hours-a-day/ Let's just jump to the end of the article, shall we? "The app had a "clock in/out" feature which did not stop GPS monitoring, that function remained on. This is the problem about which Ms. Arias complained. Management never made mention of mileage. They would tell her co-workers and her of their driving speed, roads taken, and time spent at customer locations. Her manager made it clear that he was using the program to continuously monitor her, during company as well as personal time." ------------------------------ Date: Fri, 15 May 2015 21:12:42 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Banned Researcher Commandeered a Plane (Kim Zetter) (Courtesy of Dan Farmer: Fly the unfriendly skies?) Kim Zetter, Feds Say That Banned Researcher Commandeered a Plane http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/ A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent. Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane's Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states. FBI Special Agent Mark Hurley: ``He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights, He also stated that he used Vortex software after comprising/exploiting or hacking the airplane's networks. He used the software to monitor traffic from the cockpit system.'' Hurley filed the search warrant application last month after Roberts was removed from a United Airlines flight from Chicago to Syracuse, New York, because he published a facetious tweet suggesting he might hack into the plane's network. Upon landing in Syracuse, two FBI agents and two local police officers escorted him from the plane and interrogated him for several hours. They also seized two laptop computers and several hard drives and USB sticks. Although the agents did not have a warrant when they seized the devices, they told Roberts a warrant was pending. A media outlet in Canada obtained the application for the warrant today and published it online. http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/ The information outlined in the warrant application reveals a far more serious situation than Roberts has previously disclosed. Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted that he had not interfered with the operation of a plane while in flight. He told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them. According to the FBI affidavit, however, he mentioned this to agents as well last February but also added that he had briefly commandeered a plane during one of those flights. He told the FBI he accessed the flights in which he accessed the in-flight networks more than a dozen times occurred between 2011 and 2014, but the affidavit does not indicate exactly which flight he allegedly caused to turn to the side. He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by `wiggling and Squeezing the box', Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes. Reaction in the security community to the new revelations in the affidavit have been harsh. Although Roberts hasn't been charged yet with any crime, and there are questions about whether his actions really did cause the plane to list or he simply thought they did, a number of security researchers have expressed shock that he attempted to tamper with a plane during a flight. ``I find it really hard to believe but if that is the case he deserves going to jail,'' wrote Jaime Blasco, director of AlienVault Labs in a tweet. Alex Stamos, chief information security officer of Yahoo, wrote in a tweet, ``You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.'' [Wonderful long item truncated for RISKS. PGN] ------------------------------ Date: Sat, 16 May 2015 10:35:30 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: United launches bug bounty (but in-flight systems off limits) (Jeremy Kirk) Jeremy Kirk (CSO), 15 May 2015 http://www.cso.com.au/article/575093/united-launches-bug-bounty-in-flight-systems-off-limits/ United Airlines is offering rewards to researchers for finding flaws in its websites but the company is excluding bugs related to in-flight systems, which the U.S. government says may be increasingly targeted by hackers. The bug bounty program rewards people with miles that can be used for the company's Mileage Plus loyalty program as opposed to cash, which web giants such as Google, Facebook and Yahoo pay. ------------------------------ Date: Fri, 15 May 2015 08:29:44 -0400 From: Monty Solomon <monty () roscom com> Subject: A Phantom Offer Sends Avon's Shares Surging http://www.nytimes.com/2015/05/15/business/dealbook/a-phantom-offer-sends-avons-shares-surging.html ------------------------------ Date: Tue, 12 May 2015 22:17:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The big drug database in the sky: One firefighter's year-long legal nightmare Together, Miller and Smith form the basis for what is now known as the "third-party doctrine." In its simplest form, the doctrine says that whenever someone hands over a private piece of information to a third party for a specific purpose, the Fourth Amendment doesn't protect her from a warrantless search of this information by authorities since she has already given up her privacy interest in the information by sharing it. The doctrine "has been problematic throughout the years, and with every passing year the problems get more and more stark," said Nathan Wessler, a staff attorney at the American Civil Liberties Union who is litigating a prescription drug database case in Oregon. Nearly everything we do online reveals information to a third party, from e-mail stored in the cloud to photo sharing to instant messaging to browsing the Web to geolocation. "It's totally clear that this doctrine has no place today in the digital age," Wessler added. "It's really impossible to participate in modern life, in social life, in work and business, to get medical care and legal advice without using digital technology and leaving behind a trail and digital bread crumbs." http://arstechnica.com/tech-policy/2015/05/the-big-drug-database-in-the-sky-one-firefighters-year-long-legal-nightmare/ Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 gabe () gabegold com ------------------------------ Date: Thu, 14 May 2015 09:55:51 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Rombertik malware destroys computers if detected" (Jeremy Kirk) Jeremy Kirk, InfoWorld, 5 May 2015 Rombertik is designed to steal any plain text entered into a browser window http://www.infoworld.com/article/2918401/security/rombertik-malware-destroys-computers-if-detected.html A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. [...] ------------------------------ Date: Wed, 13 May 2015 13:48:13 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Extremely serious virtual machine bug threatens cloud providers everywhere (Ars Technica) http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/ http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/ [This may be the tip of an iceberg in recognizing more broadly the risks inherent in outsourcing to a provider of unknown trustworthiness. PGN] ------------------------------ Date: Tue, 12 May 2015 09:12:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: "Google Confirms Cops Can Wiretap Your Hangouts" (Vice.com) http://motherboard.vice.com/read/google-confirms-cops-can-wiretap-your-hangouts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+xda-developers/ShsH+%28xda-developers%29&hootPostID=976dc560ff0952b50b22b479e285a435 "We asked Google to clarify, or elaborate, on Monday, and a spokesperson confirmed that Hangouts doesn't use end-to-end encryption. That makes it technically possible for Google to wiretap conversations at the request of law enforcement agents, even when you turn on the "off the record" feature, which actually only prevents the chat conversations from appearing in your history--it doesn't provide extra encryption or security. It's unclear how many times this actually happens, however. In all likelihood, it's a rare occurrence." There has never been a claim of end-to-end crypto for Hangouts. Given the integration of Hangouts to both mobile and desktop, and the various history options, end-to-end crypto in that environment would be a nontrivial undertaking. Not every service is appropriate for every kind of communication. [LATER NOTE FROM LAUREN ADDED BY PGN;} The video of the discussion Hangout I hosted yesterday on the topic of the EU's "Right To Be Forgotten" and its ramifications is now available. Special thanks to the participants for a thoughtful hour! https://www.youtube.com/watch?v=ZSdhMfsxWOs ------------------------------ Date: Thu, 14 May 2015 11:57:24 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Cybersecurity company accused of extortion A cybersecurity company has been accused of using FBI/NSA-style "cybersecurity" extortion against clients. Clearly, private companies like LabMD are less willing than the US Congress to abide these extortion attempts. Tell me that cover story again about that "drunken govt employee" who "inadvertently" flew his "private" drone onto the White House lawn... Apparently, when govt spooks go into private business, they forget to change their modus operandi... Jose Pagliery, CNNMoney, 7 May 2015 Whistleblower accuses cybersecurity company of extorting clients http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html A cybersecurity company faked hacks and extorted clients to buy its services, according to an ex-employee. In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud -- and mafia-style shakedowns. To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up. "Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained a transcript of the hearing. The results were disastrous for at least one company that stood up to Tiversa and refused to pay. In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD's computers and pulled the medical records. The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency "incident response" cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the "data breach." When LabMD still refused, Tiversa let the Federal Trade Commission know about the "hack." [... LONG ITEM truncated for RISKS. PGN] ------------------------------ Date: Thu, 14 May 2015 16:31:44 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Former federal employee busted for attempted cyber-attack to sell nuclear secrets A former employee of the U.S. Department of Energy and U.S. Nuclear Regulatory Commission was busted in an FBI sting for allegedly attempting to set off a "spear fishing" cyber-attack to extract nuclear information from the agency for personal gain. http://www.foxnews.com/politics/2015/05/09/former-department-energy-employee-busted-for-attempted-cyber-attack-to-sell/ Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 gabe () gabegold com ------------------------------ Date: Thu, 14 May 2015 19:41:51 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked http://krebsonsecurity.com/2015/05/mobile-spy-software-maker-mspy-hacked-customer-data-leaked/ mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company's servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy "users." Live by the sword, die by the sword. [Also noted by Henry Baker, who remarked: ``Any pot with this much honey will get hacked. Any bets on how long before Bluffdale gets hacked (again)?'' PGN] ------------------------------ Date: 15 May 2015 19:39:46 -0400 From: "Bob Frankston" <bob19-0501 () bobf frankston com> Subject: Team cracks Nvidia GPUs with malware for Windows and OS X (Digital Trends) http://www.digitaltrends.com/computing/graphics-cards-beware-a-new-style-of-osx-malware-can-hide-in-the-ram-of-gpus/ ------------------------------ Date: Fri, 15 May 2015 14:34:54 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Penn State severs engineering network after "incredibly serious" intrusion (Ars Technica via NNSquad) http://arstechnica.com/security/2015/05/penn-state-severs-engineering-network-after-incredibly-serious-intrusion/ "Penn State's College of Engineering has been disconnected from the Internet so it can recover from two serious computer intrusions that exposed personal information for at least 18,000 people and possibly other sensitive data, officials said Friday. The group responsible for one of the attacks appears to be based in China, a country many security analysts have said actively hacks and trawls the computer networks of western nations for a wide range of technical data. University officials said there's no evidence that the intruders obtained research data, but they didn't rule the possibility out. Officials have known of the breach since November 21, when the FBI reported an attack on the engineering college network by an outside entity." ------------------------------ Date: Tue, 12 May 2015 08:27:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Anonymous accused of running a botnet using thousands of hacked home routers (Daily Dot) http://www.dailydot.com/politics/botnet-incapsula-research-report-default/ "Lazy security has allowed various groups of hackers, likely including Anonymous, to hijack hundreds of thousands of home and office Internet routers, according to a new report from cybersecurity firm Incapsula." Well, "lax" security, anyway. ------------------------------ Date: Fri, 15 May 2015 09:04:11 -0400 From: Monty Solomon <monty () roscom com> Subject: Witness Accounts in Midtown Hammer Attack Show the Power of False Memory http://www.nytimes.com/2015/05/15/nyregion/witness-accounts-in-midtown-hammer-attack-show-the-power-of-false-memory.html Two people who saw a police encounter on Wednesday reported different details; surveillance videotape showed that both of them were wrong. ------------------------------ Date: Wed, 13 May 2015 18:49:44 +0100 From: David Damerell <damerell () chiark greenend org uk> Subject: Trains re: All cars must have tracking devices (Levine, RISKS-28.63) An increasingly common arrangement (in the UK, at least) is that the signal control room can observe the level crossing via CCTV. That, especially with in-cab signaling, might allow the train to start a brake application before the driver or radar could see the stranded vehicle, either not hitting it or buying time. However - while I'm not disputing that people would do it - the fundamental problem here seems to be: 1) your vehicle stops moving on a level crossing. 2) the level crossing gates close. 3) you stay in the vehicle. There is not much the railway can do about that. ------------------------------ Date: Mon, 11 May 2015 18:52:26 -0700 From: Gene Wirchenko <genew () telus net> Subject: Computer Scientists Use Twitter to Predict UK General Election Result (Page, RISKS-28.62) Congratulations to Mr. Page et al. on a very good result, BUT what about the people who do not use Twitter? Excluding them could skew results. There is a famous precedent: "*The Literary Digest*'s failure to predict the 1936 U.S. presidential election (as covered: http://www.math.uah.edu/stat/data/LiteraryDigest.html Some quotes from that article: "The prospective voters were chosen from the subscription list of the magazine, from automobile registration lists, from phone lists, and from club membership lists." "Based on the poll, The Literary Digest predicted that Landon would win the 1936 presidential election with 57.1% of the popular vote and an electoral college margin of 370 to 161. In fact, Roosevelt won the election with 60.8% of the popular vote (27,751,841 to 16,679,491) and an electoral college landslide of 523 to 8 (the largest ever in a presidential election). Roosevelt won 46 of 48 states, losing only Maine and Vermont. The *Literary Digest*, using similar techniques, had correctly predicted the outcome of the last four presidential elections. But in this case, the magazine was not just wrong, it was spectacularly wrong. In part because of the subsequent loss of prestige and credibility, the magazine died just two years later. What went wrong? Clearly the sample was skewed towards wealthier voters--those who could afford magazine subscriptions, cars, phones, and club memberships in the depths of the Great Depression. This sort of bias would not matter if wealthier voters behaved in a similar manner to voters as a whole (as was basically the case in the previous four elections). But in 1936, at a time of great tension between economic classes, this was definitely not the case. Another problem, not easily understood, is self-selection bias. Were the voters who chose to return the questionnaires different, in terms of how they planned to vote, from the voters who did not respond?" Note that "The Literary Digest" had been correct for the previous four elections and then stunningly blew it. Might we have a repeat coming up? ------------------------------ Date: Fri, 15 May 2015 17:45:20 -0400 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: Dealing with rogue drones, Copping a 'copter (RISKS-28.62) On the *Economist* article about authorities trying to thwart drones: They better be careful, I saw this in recent news. "The Federal Aviation Administration felt the need to issue a statement Friday asking the general public not to shoot at drones flying over head as a small Colorado town is considering an ordinance urging townsfolk to shoot down unmanned aerial vehicles. Shooting at an unmanned aircraft could result in criminal or civil liability, just as would firing at a manned airplane,' the statement from the FAA read. http://defensetech.org/2013/07/22/faa-to-town-please-dont-shoot-down-drones/ Other news comments warn states and law enforcement about the same legal liability risk if they did take action against drones. The legal status of drones needs clarification. ------------------------------ Date: 12 May 2015 00:24:32 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Authentication vs Identification ... (Brodbeck, RISKS-28.63) That horse left the barn several generations ago, unfortunately. The problem is the fiction that the SSN is secret, so anyone who presents your SSN must be you. I'd prefer to address it directly by saying, sure, they can demand an SSN all they want, but any transaction validated with an SSN isn't enforceable. Did they ask for your SSN when you applied for a credit card? Great! You don't have to pay the bill. Did they use your SSN to request a credit report? They better not make any adverse decisions based on it. This might be a challenge to enforce, but I think the idea is right. There are other issues like the lack of a check digit and the dense number space makes it way too easy to get the number wrong (transpose the last two digits and you'll likely have the valid SSN of someone else born roughly when and where you were), but they're side issues compared to the faux secrecy. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.64 ************************
Current thread:
- Risks Digest 28.64 RISKS List Owner (May 16)