RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 29.46

From: RISKS List Owner <risko () csl sri com>
Date: Thu, 14 Apr 2016 11:10:48 PDT
RISKS-LIST: Risks-Forum Digest  Thursday 14 April 2016  Volume 29 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.46.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
President Obama's Commission on Enhancing National Cybersecurity  (Michael
  Daniel  Ed Felten  and Tony Scott)
Burr-Feinstein bill draft (PGN)
Senate Cybersecurity panel unveils long-awaited encryption bill (The Hill)
Feds say they hired a hardware hacker to crack the San Bernardino
  phone (WashPo)
Online election hacking (BBW)
Failure in bank security (Corwyn)
Re: Japanese computer system problems left many flight passengers stranded
  (Alister Macintyre)
Re: The Panama Papers and Barbara Streisand (Michael Bacon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 14 Apr 2016 10:19:25 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: President Obama's Commission on Enhancing National Cybersecurity

https://www.whitehouse.gov/blog/2016/04/13/announcing-presidents-commission-enhancing-national-cybersecurity

Michael Daniel, Ed Felten, and Tony Scott, 13 Apr 2016

In February, the President announced a Cybersecurity National Action Plan
(CNAP) to take a series of short-term and long-term actions to improve our
nation's cybersecurity posture.  A central feature of that plan is the
non-partisan Commission on Enhancing National Cybersecurity, comprised of
leading thinkers from business, technology, and academia and charged with
making recommendations to the nation for actions that can be taken over the
next decade to strengthen cybersecurity in both the public and private
sector.

Today, we are pleased to announce that the President and the bipartisan
Congressional leadership have selected the 12 individuals to serve on the
Commission.  They are:

* Tom Donilon, former Assistant to the President and National Security
  Advisor (Chair)

* Sam Palmisano, former CEO of IBM (Vice Chair)

* General Keith Alexander, CEO of IronNet Cybersecurity, former Director of
  the National Security Agency and former Commander of U.S. Cyber Command

* Annie Anton, Professor and Chair of the School of Interactive Computing at
  Georgia Tech.

* Ajay Banga, President and CEO of MasterCard

* Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike

* Patrick Gallagher, Chancellor of the University of Pittsburgh and former
  Director of the National Institute of Standards and Technology

* Peter Lee, Corporate Vice President, Microsoft Research

* Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the
  Stanford Center for International Security and Cooperation and Research
  Fellow at the Hoover Institution

* Heather Murren, former member of the Financial Crisis Inquiry Commission
  and co-founder of the Nevada Cancer Institute

* Joe Sullivan, Chief Security Officer of Uber and former Chief Security
  Officer of Facebook

* Maggie Wilderotter, Executive Chairman of Frontier Communications

These 12 individuals will be charged with recommending bold, actionable
steps that the government, private sector, and the nation as a whole can
take to bolster cybersecurity in today's digital world, and reporting back
by the beginning of December.  They will hold their first public meeting
tomorrow at the U.S. Department of Commerce, where they will be joined by
Secretary of Commerce Penny Pritzker, Assistant to the President for
Homeland Security and Counterterrorism Lisa Monaco, and others to discuss
the critical work that lies ahead for the Commission.


From the beginning of his Administration, the President has made it clear

that cybersecurity is one of the most important challenges we face as a
Nation.  For more than seven years, we have acted comprehensively to make
progress towards three goals:

* Raise the level of cybersecurity in both the public and private sectors.

* Deter, disrupt, and interfere with malicious cyber activity aimed at the
  U.S. or its allies.

* Respond effectively to and recover from cyber incidents.

Recent accomplishments in pursuit of these goals include the Cyber Threat
Intelligence Integration Center (CTIIC) attaining initial operating
capability; reaching an unprecedented set of commitments with China's
President on cybersecurity; deploying strong authentication for 81 percent
of accounts on federal systems; and implementing the Cybersecurity Act of
2015 to enhance cybersecurity information sharing and improve cyber-defense
throughout the nation.  [...]

------------------------------

Date: Wed, 13 Apr 2016 11:59:06 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Burr-Feinstein bill draft

The Burr-Feinstein discussion draft now released:
Compliance with Court Orders Act of 2016
http://www.feinstein.senate.gov/public/index.cfm?a=files.serve&File_id=5B990532-CC7F-427F-9942-559E73EB8BFB

Here's my short-version summary

  It would compel "covered entities" (very broad: device manufacturer,
  software manufacturer, electronic communication service, provider of a
  remote computing service, or any person who provides a product or method
  to facility a communication or processing or storage of data) to comply
  with court orders [*] to provide data or otherwise assist in efforts to
  prosecute crimes (resulting in death; foreign intelligence, espionage, and
  terrorism; Federal crime against a minor; serious violent felony; serious
  Federal drug crime; state crimes equivalent to the previous ones).
  However, the draft bill does not prescribe penalties for noncompliance,
  and seems to leave that up to the courts.  That could be quite a slippery
  slope -- and could easily tend to act as a not-so-veiled threat.

* The draft says "an order or warrant", so presumably a subpoena would be
sufficient?  When I testified for the Senate Judiciary Committee on 9 Jul
1997, Senator Leahy began the first morning session by getting Bob Kerry to
admit that he did not know that his own Kerry-McCain bill required only a
subpoena, and not a warrant.  I think what constitutes a "court order" is a
potentially sticky wicket here.

Incidentally, my testimony in the second session that day is at
http://www.csl.sri.com/neumann/judiciary.html, along with my answers to
subsequent written questions from Senators Thurmond, Grassley, Leahy, and
Feinstein.  At the end of the first session. Senator Feinstein excused
herself to go to another hearing, but remarked that if FBI Director Freeh
said he needed access to essentially everything, we'd better give it to him.

------------------------------

Date: Wed, 13 Apr 2016 16:45:40 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Senate Cybersecurity panel unveils long-awaited encryption bill

http://thehill.com/policy/cybersecurity/overnights/276219-overnight-cybersecurity-long-awaited-encryption-bill-lands

  The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne
  Feinstein (D-Calif.), would force companies to provide "technical
  assistance" to government investigators seeking locked data.  Little has
  changed in the bill since an initial discussion draft was first made
  public by The Hill last week. The measure still states that a company must
  provide "information or data" to the government "in an intelligible
  format" when served with a court order.

The obvious outcome of this of course would be the rapid deployment of even
more third-party apps to layer strong crypto without government backdoors
onto the systems that the government mandates must be made hacker, criminal,
and terrorist attack friendly via government backdoors. Next, the government
plans to make it illegal to speak in unfamiliar languages, and will mandate
the installation of cameras in every room of every home and business that
can be enabled under court order. Just wait until you see what they'll
demand in the future for data collection and remote control from and over
autonomous vehicles!

  [It is also likely to open up a huge market for non-U.S. meaningfully
  secure operating systems and well-embedded strong cryptography, and
  noncompliant apps.  Unfortunately, the U.S. government itself may have to
  resort to non-U.S. products if they cannot get them domestically -- which
  represents a huge set of risks, PGN]

------------------------------

Date: April 14, 2016 at 5:07:14 AM GMT+9
From: "John Levine" <johnl () iecc com>
Subject: Feds say they hired a hardware hacker to crack the San Bernardino
  phone (from Cryptography via Dave Farber)

The WashPo says:

The FBI cracked a San Bernardino terrorist's phone with the help of
professional hackers who discovered and brought to the bureau at least one
previously unknown software flaw, according to people familiar with the
matter. ...

The new information was then used to create a piece of hardware that helped
the FBI to crack the iPhone's four-digit personal identification number
without triggering a security feature that would have erased all the data,
the individuals said. ...

Even without a new flaw, that suggests something like the plan many people
suggested to make an image of the device's memory and restore it after each
group of PIN guesses.

https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?hpid=hp_hp-cards_no-name%3Ahomepage%2Fcard

------------------------------

Date: Tue, 12 Apr 2016 16:32:19 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Online election hacking (BBW)

Pages 60-65 of April 4-10 BBW is on history of hacking on-line elections, in
the Americas.  It has reportedly happened in Columbia, Costa Rica, El
Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, and Venezuela.  A
person accused of participating in this election rigging, is now allegedly
working in the Donald Trump campaign. [...]

http://www.bloomberg.com/content-service/blog/2016-04-08/hack-election-comohackear-una-eleccion/

------------------------------

Date: Mon, 11 Apr 2016 16:54:11 -0400
From: risks () corwyn net
Subject: Failure in bank security

Today I spent a while on the phone puzzling out an error in my SunTrust
account, eventually determined to be me having transferred money from my
line of credit (check protection) instead of my checking account. Mea culpa.

To try to prevent making the same error again, I asked that they remove the
line of credit from my Internet access. They said they could not. I asked if
I could decrease the credit limit on the account, and they said "sure". All
I needed to do was send them authorization from my email account. My
personal email account. I asked if I could instead use the "Secure Message"
system within my on-line account, and was told that I couldn't submit the
change from there; the message had to come from my personal account.

I spent a long time on the phone trying to get to someone who would
understand that my personal email address didn't count as "secure" or
"authenticated", to no avail.

------------------------------

Date: Mon, 11 Apr 2016 19:51:54 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Re: Japanese computer system problems left many flight passengers
  stranded (Ishikawa, RISKS-29.45)

CI, Thanks for the Japanese to English translation.  You were unsure about
the Cache.  I think the explanation, that you quoted, is BS.

Approx 35 years ago I first started working with cache.  The concept was
that accessing data from disk drives took thousandths of seconds, while
accessing from memory took millionths of seconds.  Systems may be faster
today, but the same ratio may apply.  So we in IT had the option of setting
aside a portion of memory for cache, which was memory of most recent disk
accesses, on the theory that that data might be needed again very soon, so
by having the latest updated copy in the cache, it could be accessed faster.
Also, copying the updated data to disk could happen as micro seconds permit,
without holding up the parade of other activities.  In case of some
disruption, making sure info in cache written back to disk was a priority.

Failures in this system could occur if

* The overall system did not have enough "gas" to handle normal loads, and
  typical busy time periods.  By "gas" I mean speed, disk capacity, memory,
  processors, file balancing, all the "stuff" needed for a well tuned
  computer system.

* Badly written software messed with the amount of memory assigned to cache.

* To get good cache results, programs need to nibble on data in reasonable
  size chunks, and the routines need to be of reasonable size.  We might not
  get this, with poorly written programs.

* The cache memory worked thanks to a battery, recharged like a miniature
  UPS, whose battery does not live forever.  As it wears out, there is a
  system error message to warn IT that we need to schedule hardware
  maintenance to replace the cache battery.  If no one is paying attention
  to the hardware warning messages, then the cache benefit could come to a
  sudden surprising halt.

* Performance tools show how efficiently cache is functioning, to indicate
  whether the organization can benefit from buying more memory.  They also
  show where there are potential bottlenecks, such as activity waiting on a
  communication line which is overloaded (needs to be faster, more band
  width), or bottleneck waiting on data thru some processor (maybe we need
  more processors, such as a math chip).  If the tools tell IT that certain
  upgrades are needed to improve performance, but management won't approve
  the expenditure, then the result can be inconvenience for some of the
  users.  Performance Tools also identify bottlenecks thanks to the specific
  programs which are badly written, with some info on where in the programs
  they have problems.

* Software updates should go through some kind of testing.  They had a
  backup machine.  Did they use that for testing, since the main one was
  very busy?

  http://itpro.nikkeibp.co.jp/atcl/news/16/040601011/

  According the article above, a critical region handling routine was
  installed in the week before and this caused a deadlock of the application
  cache (not sure exactly what/where the cache is) and handling of disk
  access.

------------------------------

Date: Thu, 14 Apr 2016 05:20:12 -0400
From: Michael Bacon - Grimbaldus <michael.bacon () grimbaldus com>
Subject: Re: The Panama Papers and Barbara Streisand (RISKS-29.45)

The media love stories about politicians and their finances.  However, there
is a big difference between tax avoidance and tax evasion.

I doubt there is any reader of this who does not take steps to avoid paying
taxes they don't need to.  Of course, there might be some who attempt to
evade paying taxes too, but I suspect the balance to be in favour of the
former.  The journalists writing in high-handed tones, and the political
opponents trying to make capital [pun intended] out of the stories are very
likely to be avoiders too ... and possibly evaders.

British Prime Minister, David Cameron, has come under fire from the
opposition leader Jeremy Corbyn for Cameron's late father's revealed
involvement in one offshore investment company, leading to the PM publishing
his tax returns.  Corbyn responded, only for the media to uncover his
failure to properly declare income from three pensions.  This is now
becoming a bigger story.  Another example of the Streisand Effect?

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.46
************************
Previous By Date Next
Previous By Thread Next

Current thread: