RISKS Forum mailing list archives
Risks Digest 30.29
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 13 May 2017 22:46:57 PDT
RISKS-LIST: Risks-Forum Digest Saturday 13 May 2017 Volume 30 : Issue 29 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.29> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Fiat Chrysler Recalls 1.2 Million Ram Pickups Over Faulty Software (Bill Vlasic and Neal E. Boudette) Today's Massive Ransomware Attack Was Mostly Preventable -- Here's How To Avoid It (Gizmodo) Dozens of countries hit by huge cyberextortion attack (McClatchy) A British researcher says he found a kill switch for the malware crippling computers worldwide (The Washington Post) Hackers Use Tool Taken from NSA in Global Attack (Nicole Perlroth and Davide E. Sanger) Indicators Associated With WannaCry Ransomware (US-CERT) WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware WannaCry attack! (Lauren Weinstein) Global 'Wana' Ransomware Outbreak Earned Perpetrators $26,000 So Far (Krebs) The Joy of Tech comic: The Internet of ransomware things! (GeekCulture) Vehicle lien recorded in name of cartoon characters (Mark Brader) Cochrane Report on IHealth EHR: Lessons for engaging users to provide QA feedback (Island Health via Kelly Bert Manning) Microsoft patches Windows XP to fight 'WannaCrypt' attacks (Engadget via LW) Malware and The Cloud (Lauren Weinstein) "How the Macron campaign slowed cyberattackers" (Fahmida Y. Rashid) Counter intelligence in the French elections - this changes cybersecurity forever. (Gadi Evron) Facebook takes to newspapers to teach UK users how to spot "fake news" (Ars Technica) "HP computer owners: Check for the MicTray Conexant keylogger" (Woody Leonhard via Gene Wirchenko) MUST READ "Open MIC" report: Corporate responsibility in an age of alternative facts -- with emphasis on Facebook and Google (Lauren Weinstein) China Is on Track to Fully Phase Out Cash (Motherboard) Sony PlayStation leads to the arrest of 15 member gang (Diomidis Spinellis) UK Telecomms Service Stopped by Bureaucracy (Chris Drewe) Crash with Impact (The New York Times) NYU Accidentally Exposed Military Code-Breaking Computer Project to Entire Internet (Sam Biddle) Confidential patient data breach at NYC's Bronx Leb Hospital (Data Breaches via danny burstein) Security Alert from Intel concerning Business-grade Processors with detection tool -- followup (Bob Gezelter) "Supply chain attack on HandBrake video converter app hits Mac users" (Lucian Constantin) The FCC says an attack -- not John Oliver -- hampered its website (The Washington Post) U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies (The Washington Post) Re: Someone hacked every tornado siren in Dallas. It was loud. (Jim Reisert) Progress To Date on Deepwater Horizon (Earl Boebert) Re: The Lost Picture Show (Dimitri Maziuk, Gabe Goldberg, Brian Inglis, Jeff Jonas) Re: Man gets fined for discovering an engineering flaw (John Levine) Re: Senseless Government Rules Could Cripple the Robo-Car Revolution (Mike Spencer) Re: Bobby Tables and electoral fraud (Dave Horsfall, Kelly Bert Manning) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 13 May 2017 08:13:18 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Fiat Chrysler Recalls 1.2 Million Ram Pickups Over Faulty Software (Bill Vlasic and Neal E. Boudette) *The New York Times*, 13 May 2017 After one death and two injuries, the recall is intended to fix faulty software that can disable airbags and seatbelt tension devices. Reportedly, "normal restraint-system function may be restored" by turning the ignition off and on again. ------------------------------ Date: Fri, 12 May 2017 16:27:31 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Today's Massive Ransomware Attack Was Mostly Preventable -- Here's How To Avoid It (Gizmodo) NNSquad http://gizmodo.com/today-s-massive-ransomware-attack-was-mostly-preventabl-1795179984 Here's what happened: Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren't updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer. The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update. ------------------------------ Date: Fri, 12 May 2017 15:10:41 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Dozens of countries hit by huge cyberextortion attack (McClatchy) via NNSquad http://www.mcclatchydc.com/news/politics-government/national-politics/article150231887.html Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users' files for ransom at a multitude of hospitals, companies and government agencies. The attack appeared to exploit a vulnerability that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes and was later leaked to the Internet. Britain's national health service was hit hard, its hospitals forced to close wards and emergency rooms. Spain, Portugal and Russia were also struck. Several cybersecurity firms said they had identified the malicious software behind the attack in upward of 60 countries, with Russia apparently the hardest hit. [On the UK NHS danny burstein burstein noted UK hospital system suffering nationwide computer issues (The Guardian): NHS hospitals across England hit by large-scale cyber-attack Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls. https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack See Also http://www.bbc.co.uk/news/health-39899646 PGN] ------------------------------ Date: Sat, 13 May 2017 07:50:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: A British researcher says he found a kill switch for the malware crippling computers worldwide (The Washington Post) via NNSquad https://www.washingtonpost.com/news/worldviews/wp/2017/05/13/a-british-researcher-says-he-found-a-kill-switch-for-the-malware-crippling-computers-worldwide/ By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday ... About 3 p.m. Eastern time, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with "gwea.com." The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars. ------------------------------ Date: Sat, 13 May 2017 08:20:04 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Hackers Use Tool Taken from NSA in Global Attack (Nicole Perlroth and Davide E. Sanger) *The New York Times*, 13 May 2017 (front page) A digital `perfect storm' hits hospitals, businesses, and a Russian ministry on 12 May 2017. By the end of the day, the attack had spread to more than 74 countries. According to Kaspersky Lab (a Russian cybersecurity company), Russia was the worst-hit, then Ukraine, India, and Taiwan. This seems to have been the largest ransomware attack to date. It was triggered by a simple phishing attack, and is believed to have exploited a vulnerability with a method developed -- and leaked from or stolen from -- NSA. [PGN-ed] ------------------------------ Date: Sat, 13 May 2017 08:39:09 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Indicators Associated With WannaCry Ransomware (US-CERT) via NNSquad https://www.us-cert.gov/ncas/alerts/TA17-132A According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S. This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming. ------------------------------ Date: Sat, 13 May 2017 09:08:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware WannaCry attack! Lauren's Blog https://lauren.vortex.com/2017/05/13/warning-antivirus-sites-may-be-helping-to-spread-the-current-global-malware-ransomware-wannacry-attack It has been reported that a researcher discovered that spread of the current worldwide ransomware attack can be halted after he registered the domain: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and built a sinkhole website that the malware could check. Reportedly the malware does not continue spreading if it can reach this site. HOWEVER, various antivirus websites/services are now reportedly adding that domain to their "bad domain" lists! If sites infected with this malware are unable to reach that domain due to their firewalls incorporating rules from antivirus sites that include a block for that domain, the malware will likely continue spreading across their machines. Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving! ------------------------------ Date: Sat, 13 May 2017 16:11:39 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Global 'Wana' Ransomware Outbreak Earned Perpetrators $26,000 So Far NNSquad https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/ As thousands of organizations work to contain and clean up the mess from this week's devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what's being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam. ------------------------------ Date: Sat, 13 May 2017 11:32:42 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The Joy of Tech comic: The Internet of ransomware things! via NNSquad http://www.geekculture.com/joyoftech/joyarchives/2340.html ------------------------------ Date: Thu, 11 May 2017 15:13:01 -0400 (EDT) From: msb () vex net (Mark Brader) Subject: Vehicle lien recorded in name of cartoon characters Apparently, some time ago someone in the Ontario provincial government's computer systems was running a test simulating the addition of a lien to the information record about someone's vehicle. For the lienholder's name they used fictional characters from the old animated TV show "The Flintstones" -- but for the vehicle they used a real VIN. Result: the 75-year-old woman who owned the vehicle found herself blocked from selling it until the bogus lien was cleared. Apparently this took 9 months, but the matter only became public this week. Naturally, the government is saying this was the only such case and it won't happen again, while the opposition takes a different view... http://www.cbc.ca/news/anykey-1.4109296 ------------------------------ Date: Mon, 8 May 2017 12:02:38 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Cochrane Report on IHealth EHR: Lessons for engaging users to provide QA feedback (Island Health) http://ihealth.islandhealth.ca/2016/11/the-cochrane-report/ http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/Summary-of-Recommendations.pdf http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/ihealth-review-2017.pdf http://vancouverisland.ctvnews.ca/video?clipId=1115112 "Issue reporting and resolution At roll out, when users were highly supportive and enthusiastic, they actively engaged in reporting issues of performance, usability and safety. At the time, reporting was accepted through multiple sources including the Patient Safety Learning System (PSLS), health informaticists, the Help Desk, emails, red dot reports and meetings. Peer mentors and informaticists were actively engaged in addressing issues as they arose. Unfortunately, follow up with users that had reported a concern was inconsistent. Many users reported an absence of feedback. The reasons for the lack of feedback are not clear but may relate to the volume of issues being reported and Island Health's capacity to address them. As a result, from the users' perspective, many issues remained unexplained and unresolved, undermining confidence in the safety of the system and the effectiveness of the reporting systems. Users stopped reporting because of fatigue and the lack of feedback. Some individuals who provided reports perceived that those responding to issues were transferring responsibility to the users. Explanations for issues included user error, bad habits, and users failing to remember. Island Health's reactions were described by interviewees as punitive and involved public shaming and bullying (see emotional responses below). It was claimed that there were no gaps in education or training, but rather gaps in remembering and a lack of engagement of staff for voluntary learning. In a previous job a "Creating Satisfied Customers" course taught that a lack of problem reports indicates a failed system for users to report concerns, get status updates and see that concerns are addressed and resolved in a timely fashion. Many customers will choose another service provider or product if one is available, and they keep encountering issues. A minority of users will try to follow the problem reporting process. Most will give up if they find it too much bother to complete and they keep encountering issues. Most will not bother to continue to report issues if they get no resolution to the initial issue reports. Very few will persist in requesting follow up status reports, particularly if there is no regular feed back or perceived resolution. They just give up. ------------------------------ Date: Sat, 13 May 2017 08:22:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Microsoft patches Windows XP to fight 'WannaCrypt' attacks (Engadget) via NNSquad https://www.engadget.com/2017/05/13/Microsoft-WindowsXP-WannaCrypt-NHS-patch/ Microsoft officially ended its support for most Windows XP computers back in 2014, but today it's delivering one more public patch for the 16-year-old OS. As described in a post on its Windows Security blog, it's taking this "highly unusual" step after customers worldwide including England's National Health Service suffered a hit from "WannaCrypt" ransomware. Microsoft patched all of its currently supported systems to fix the flaw back in March, but now there's an update available for unsupported systems too, including Windows XP, Windows 8 and Windows Server 2003, which you can grab here (note: if that link isn't working then there are direct download links available in the Security blog post). Sure, now that the spread has apparently been largely contained through other means, Microsoft shows up, a day late and a dollar short, as usual. ------------------------------ Date: Sat, 13 May 2017 13:31:04 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Malware and The Cloud via NNSquad https://plus.google.com/+LaurenWeinstein/posts/cMA7HsuR7UC I might note that there's a strong argument to be made that many of these systems crippled by the current malware epidemic by all rights should have instead had their data in the cloud, where professionals are able to keep security and privacy parameters up to date. Successful attacks are becoming more common with virtually every OS. And most systems in homes and offices are not adequately backed up -- if they're backed up at all. Fundamentally, this tech has become too integral to society and too complex for amateurs to maintain by themselves in the long run. [On the other hand, RISKS readers understand the the "cloud" is not all that secure, and still entails [I originally wrote entrails] many risks, even though many cloud providers might have better security than small institutions, and a very large one -- evidently, most of the U.S. Government! PGN] ------------------------------ Date: Tue, 09 May 2017 10:12:57 -0700 From: Gene Wirchenko <genew () telus net> Subject: "How the Macron campaign slowed cyberattackers" (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld, 9 May 2017 Did the French president-elect's security team use cyberdeception techniques to fight off phishing attacks? Submitting fake credentials definitely qualifies http://www.infoworld.com/article/3195018/security/how-the-macron-campaign-slowed-cyber-attackers.html opening text: In the wake of French president-elect Emmanuel Macron's victory over Marine Le Pen, IT armchair quarterbacks should look at the Macron campaign's security playbook for ideas on how to fight off targeted phishing and other attacks. ------------------------------ Date: Tue, 9 May 2017 21:33:09 +0300 From: Gadi Evron <gevron () gmail com> Subject: Counter intelligence in the French elections - this changes cybersecurity forever. I'm extremely excited about what happened at the French elections. Up until today, when it comes to information operations, I could only look up to Russia. What (supposedly, we don't really know too much yet) in France changes all that. Add supposedly and likely to every sentence: 1. They seeded attack attempts with data that will slow them down. Sending credentials to phishing attempts. 2. They created a few fake documents, which allowed them when the time came to cast doubt on the entire data dump. I wrote a full analysis based on what is currently known here, I hope you enjoy it: https://hackernoon.com/analyzing-a-counter-intelligence-cyber-operation-how-macron-just-changed-cyber-security-forever-22553abb038b I am so excited a public case exists that shows thinking of the type I love and live. With cyberdeception they have essentially shown they can increase the economic costs of the attackers to shift the burden of anomaly detection to them. I've bet my career and life on starting Cymmetria to do this, and now -- finally, someone else is thinking the same way I do, and more than that, actively working on cyberdeception to control the battle ground and act dynamically. Interesting side-note: Late last year the various French political parties were summoned to a government brief on phishing attacks. All but one came to the meeting. ------------------------------ Date: Mon, 8 May 2017 08:07:02 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook takes to newspapers to teach UK users how to spot "fake news" (Ars Technica) via NNSquad https://arstechnica.com/business/2017/05/facebook-fake-news-newspaper-ad/ Facebook has attempted to lightly rein in the spread of misinformation on the free content ad network by taking out full-page adverts in UK newspapers with "tips for spotting false news" ahead of next month's General Election. The Mark Zuckerberg-run company, which has long-swerved any suggestion that it is the publisher of content that is shared on its site by nearly two billion people worldwide, makes it clear in its press ad that the onus is on its users to police dodgy-looking posts. "Be skeptical of headlines," it warned. Apparently, "catchy headlines in all caps with exclamation marks" could contain false news and users should be wary of clicking on clickbaity, screeching claims. ------------------------------ Date: Thu, 11 May 2017 15:27:19 -0700 From: Gene Wirchenko <genew () telus net> Subject: "HP computer owners: Check for the MicTray Conexant keylogger" Woody Leonhard, InfoWorld, 11 May 2017 The Conexant audio driver logs all keystrokes on certain HP machines and publishes them to a file in the Public folder http://www.infoworld.com/article/3196125/data-security/on-hp-computers-check-for-the-conexant-keylogger-called-mictray.html selected text: Swiss security firm modzero AG released a white paper (PDF) that contains details about a keylogger in certain HP audio drivers. The keylogger stores records of all of your keystrokes in a file located in the public folder C:\Users\Public\MicTray.log. The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, ... including many current models. Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It's still there today with driver Version 1.0.0.46. If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. I have no idea how the driver passed Microsoft certification, but apparently it has. Modzero isn't happy with the runaround it's getting from HP. The group says it discovered the keylogger in MicTray 1.0.0.31 back on April 28. Modzero contacted Conexant the same day, and when the keylogger was found in the latest audio drivers, it contacted HP Enterprise on May 1. Then on May 5, modzero got a response from HP Enterprise, which ``tried to reach for security folks at HP Inc. to gain attention.'' Looks like HP Enterprise and HP Inc. aren't talking to each other -- I bet they start talking now. [Also noted by Al Mac; https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html https://consumerist.com/2017/05/12/keylogging-spyware-found-on-dozens-of-hp-laptop-models/ https://thenextweb.com/insider/2017/05/11/hp-is-shipping-audio-drivers-with-a-built-in-keylogger/#.tnw_OV69vf8G HP list of their models affected: https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt ... and Bob Gezelter: https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/ PGN] ------------------------------ Date: Tue, 9 May 2017 10:40:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: MUST READ "Open MIC" report: Corporate responsibility in an age of alternative facts -- with emphasis on Facebook and Google NNSquad http://fakenews.openmic.org/ Among the recommendations discussed in this report: To avoid government regulation and/or corporate censorship of information, tech companies should carry out impact assessments on their information policies that are transparent, accountable, and provide an avenue for remedy for those affected by corporate actions. Tech companies should appoint ombudspersons to assess the impact of their content algorithms on the public interest. Tech companies should report at least annually on the impact their policies and practices are having on fake news, disinformation campaigns and hate speech. Reports should include definitions of these terms; metrics; the role of algorithms; the extent to which staff or third-parties evaluate fabricated content claims; and strategies and policies to appropriately manage the issues without negative impact on free speech. ------------------------------ Date: Fri, 12 May 2017 21:06:29 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: China Is on Track to Fully Phase Out Cash (Motherboard) via NNSquad https://motherboard.vice.com/en_us/article/china-cashless Experts believe it won't be long before China, the first country to introduce paper money, becomes the first to go totally cashless. The better to track you by, my dear. ------------------------------ Date: Tue, 9 May 2017 12:19:48 +0300 From: Diomidis Spinellis <dds () aueb gr> Subject: Sony PlayStation leads to the arrest of 15 member gang A Sony PlayStation helped the police arrest 15 members of a gang that specialized in stealing company safes in Greece last week. According to the police's press release [1], the gang members were involved in 145 cases, including 58 armed robberies, 52 burglaries, and 24 car thefts. In order to evade detectives, the gang used hundreds of cellphones, stolen cars, fake license plates, and diverse hideouts. The "Kathimerini" daily newspaper reports [2] that one of the leads that helped the police to narrow down on the gang's members was a Sony PlayStation. In December 2016 the gang stole from a company 700 euros and a truck with 2179 PlayStation consoles. The police, in cooperation with Sony and the local ISPs, found that one of the stolen consoles was used the next day at the house of one of the gang members. [1] http://www.astynomia.gr/index.php?option=ozo_content&lang=%27..%27&perform=view&id=71085&Itemid=1883&lang [2] http://www.kathimerini.gr/908617/article/epikairothta/ellada/lhstes-twn-xrhmatokivwtiwn-to-krhsfygeto-sto-menidi-o-arravwnas-kai-to-klemmeno-playstation Diomidis Spinellis - https://www.spinellis.gr/ ------------------------------ Date: Thu, 11 May 2017 21:26:23 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: UK Telecomms Service Stopped by Bureaucracy RISKS has featured telecomms services stopped by hack attacks, software faults, infrastructure failures, and so forth, but one UK network has been disabled by officialdom, according to reports in a couple of newspapers. Years ago, pagers were widely used to keep in contact with people on the move, but their use has greatly declined with the popularity of cellphones, and the UK currently only has two service providers, PageOne, owned by Capita, and Vodafone. Vodafone wanted to transfer its 1,000 users to PageOne, but the UK Competition and Markets Authority objected and wanted a full investigation, which Vodafone didn't want to get involved with for such a tiny market, so announced that it will simply close its service... ------------------------------ Date: Sat, 13 May 2017 12:36:24 -0700 From: Bob Gonsalves <pinknoiz () me com> Subject: Crash with Impact https://www.nytimes.com/2017/04/22/us/politics/james-comey-election.html FBI agents in New York seized Mr. Weiner's laptop in early October. The investigation was just one of many in the New York office and was not treated with great urgency, officials said. Further slowing the investigation, the F.B.I. software used to catalog the computer files kept crashing. ------------------------------ Date: Thu, 11 May 2017 11:22:31 -1000 From: geoff goodfellow <geoff () iconia com> Subject: NYU Accidentally Exposed Military Code-Breaking Computer Project to Entire Internet (Sam Biddle) Sam Biddle, The Intercept, 11 May 2017 https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/ In early December 2016, Adam was doing what he's always doing, somewhere between hobby and profession: looking for things that are on the Internet that shouldn't be. That week, he came across a server inside New York University's famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an Internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. Dozens of documents spanning hundreds of pages detailed the project, a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. And they were available for the entire world to download. [...] ------------------------------ Date: Wed, 10 May 2017 21:36:36 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: Confidential patient data breach at NYC's Bronx Leb Hospital Third party vendor, rsync backups... https://www.databreaches.net/confidential-medical-records-from-bronx-lebanon-hospital-exposed-online-by-vendors-error/ ------------------------------ Date: Mon, 08 May 2017 09:30:25 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Security Alert from Intel concerning Business-grade Processors with detection tool -- followup (downloadcenter) The security vulnerability involving Intel involves more than servers, business laptops are also vulnerable. Advice is to run the Intel tool to determine vulnerability, then get the update from the manufacturer. The Intel article also includes interim mitigation information. Intel has released detailed notes on checking for the vulnerability. See https://downloadcenter.intel.com/download/26755 An extensive article also appeared in The Register at: https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/ ------------------------------ Date: Mon, 08 May 2017 11:41:55 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Supply chain attack on HandBrake video converter app hits Mac users" (Lucian Constantin) Lucian Constantin, ComputerWorld, 8 May 2017 Mac users who downloaded the app earlier this month may have their computers infected with the Proton Trojan program http://www.computerworld.com/article/3194935/security/supply-chain-attack-on-handbrake-video-converter-app-hits-mac-users.html selected text: Hackers compromised a download server for HandBrake, a popular open-source program for converting video files, and used it to distribute a macOS version of the application that contained malware. The HandBrake development team posted a security warning on the project's website and support forum on Saturday, alerting Mac users who downloaded and installed the program from May 2 to May 6 to check their computers for malware. This is just the latest in a growing string of attacks over the past few years in which attackers compromised software update or distribution mechanisms. Last week Microsoft warned of a software supply-chain attack in which a group of hackers compromised the software update infrastructure of an unnamed editing tool and used it to distribute malware to select victims: mainly organizations from the financial and payment processing industries. This is not the first time Mac users have been targeted through such attacks either. The macOS version of the popular Transmission BitTorrent client distributed from the project's official website was found to contain malware on two separate occasions last year. ------------------------------ Date: Mon, 8 May 2017 22:09:58 -0400 From: Monty Solomon <monty () roscom com> Subject: The FCC says an attack -- not John Oliver -- hampered its website The FCC says an attack -- not John Oliver -- hampered its website. John Oliver renewed a call asking his viewers to support net neutrality rules. https://www.washingtonpost.com/news/the-switch/wp/2017/05/08/the-fcc-says-an-attack-not-john-oliver-hampered-its-website/ ------------------------------ Date: Tue, 9 May 2017 09:40:03 -0400 From: Monty Solomon <monty () roscom com> Subject: U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies The Pentagon wanted to target servers in allied countries, but CIA, State and FBI said those nations had to be notified. https://www.washingtonpost.com/world/national-security/us-military-cyber-operation-to-attack-isis-last-year-sparked-heated-debate-over-alerting-allies/2017/05/08/93a120a2-30d5-11e7-9dec-764dc781686f_story.html ------------------------------ Date: Wed, 10 May 2017 11:24:41 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Re: Someone hacked every tornado siren in Dallas. It was loud. Denver, CO has upgraded their tornado warning system: http://www.thedenverchannel.com/news/local-news/tornado-warning-system-in-denver-upgraded-after-dallas-hacking-incident I love this paragraph: "The sirens in Denver can be activated from the OEM, Denver 911, or at DIA. The city holds 86 sirens. Each of them received new hardware, making it impossible for anyone to take over the system." I wonder who will consider this a challenge? ------------------------------ Date: Mon, 8 May 2017 14:36:50 -0600 From: Earl Boebert <bitsmasherpress () gmail com> Subject: Re: Progress To Date [This is a follow-up to earlier items on the book by Earl Boebert and James Blossom (RISKS-29.80), at my request. PGN] It's always a tense situation when you release a complex technical analysis like our Deepwater Horizon book, one that I am familiar with from the many National Academies studies I've been on: Is somebody going to appear from nowhere and invalidate one of your main conclusions? The book came out in October and so far the answer is, "not yet, anyway." Reviews have been sparse but good, and our informal working group has been joined by readers, including the person who ran the simulations for the Chemical Safety Board report. As a result of his work, the group thinks we have a plausible theory for what failed down in the well. We'll be writing this up and adding it to the website soon. It suggests an answer to the last outstanding question, but doesn't invalidate any of the conclusions in the book. ------------------------------ Date: Tue, 9 May 2017 14:05:50 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: The Lost Picture Show (DeMattia, RISKS-30.28) We have a couple of obsolete drives sitting on the shelf in a server room. At this point a) I don't know what interface they have (some flavour of scsi I expect) but I'm certain we don't have a computer with that kind of interface card and b) I am fairly certain the lubricants have solidified and rubber belts, if any, will either crack and turn into black dust, or ooze into a sticky black goo, the moment one tries to use them. In theory you could retain the hardware indefinitely, but you have to choose that hardware very carefully first. ------------------------------ Date: Sat, 13 May 2017 11:29:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum) Hardware deteriorates (bearings, lubrication, plastics, connections, etc.). I wouldn't trust a ten-year old drive to reliably spin up, let alone one reaching back far further to read irreplaceable/historical archive tapes. Since it'll be hard to acquire spare parts, how many copies of each data generation's hardware would be needed? Then there's needing people experienced in servicing them, plus manuals and schematics. And needing computers capable of connecting to and driving them. And, of course, tapes themselves deteriorate too. ------------------------------ Date: Wed, 10 May 2017 21:31:38 -0600 From: Brian Inglis <Brian.Inglis () systematicsw ab ca> Subject: Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (DeMattia, RISKS-30.28)
It most certainly does *not* mean that. It might mean that film archivists must retain hardware capable of reading the obsolescent tapes.
In order to do that, film archivists must have the capability to: archive the tapes in readable condition; maintain hardware and their interfaces, and spares for those; software to use those interfaces; documentation and media for the hardware, software, operation, and maintenance; and retain staff able to use and maintain those; to read the tapes, recover data going bad, and write the contents to new media. A rather larger set of requirements and risks to manage. The biggest risk is probably retention of tech staff interested in and capable of maintaining obsolescent hardware and software for years. Organizations may weight the risks and costs differently to choose their most effective approach. ------------------------------ Date: Wed, 10 May 2017 02:31:31 -0400 (EDT) From: Jeff Jonas <jeffj () panix com> Subject: Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum) I'd say it goes both ways. Libraries are digitizing cylinder recordings to make them available, but they keep the original recordings, particularly as new developments allow for more faithful recreation of the sound. But there's a video of a fellow holding a priceless cylinder recording that shatters. Multiple copies on various media guard against that, particularly if at various locations. I'm keeping my LPs because I have turntables, but they're useful only to folks with turntables. But magtape, 8" floppy disks, QIC tapes and other computer media are problematic because few drives are available to read them. Even drives in storage self-destruct as rubber parts either dry up and crack, or turn to chewing-gum. So then the problem becomes preserving the drives to preserve the ability to read archives, vs. copying up to current media readable by just about anyone. [Overlapping comments from Erling Kristiansen. PGN] ------------------------------ Date: 9 May 2017 19:38:42 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Man gets fined for discovering an engineering flaw (RISKS-30.26) It's true that they fined him for calling himself an Engineer, and these days, that is ridiculous. It is also clear from the context that they did so out of malice, because they didn't like what he said about red light cameras that generate ticket revenue. In Oregon, the semi-independent Board of Examiners for Engineering and Land Surveying licenses professional engineers and has for a long time. PEs sign blueprints and similar safety critical documents. Every state has a similar PE licensing system, and it's an important part of what keeps our roads and bridges and oil refineries and other construction projects safe. Some engineering grads do the extra work to get a PE license, some don't, depending on whether they plan a career that involves stuff that PEs have to sign. For example, my father has two engineering degrees but never got a PE license because he designed and built airplane fuel gauges and other electronic instruments for which the license isn't relevant. He has never called himself a PE because he isn't one. Nonetheless he is a life member of the IEEE (and before that a member of the ISA and IRE.) In sensible places, which I think includes the other 49 states, they regulate the term Professional Engineer. When I look at the Oregon law, it is ambiguously written, about whether the regulated term is professional engineer or plain engineer, and it was a mistake not to challenge the $500 ticket in the first place. Given the wide usage of the term engineer to refer to people who don't have a license, I expect courts would throw it out on first amendment grounds. Perhaps the IEEE, which welcomes both licensed and unlicensed engineers, would offer an amicus brief. PS: I agree that calling people "Software Engineers" is an egregious misuse of language. So-called software engineers don't have any of the training that actual engineers do, other than perhaps taking a few of the same courses in school. I realize the software engineer horse has long left the barn, there is a fairly well agreed definition of what such a person does, and no sensible person confuses us with a licensed PE. ------------------------------ Date: Tue, 9 May 2017 17:51:39 -0300 From: mspencer () tallships ca (Mike Spencer) Subject: Re: Senseless Government Rules Could Cripple the Robo-Car Revolution (Youngman, RISKS-30.28) If vehicles are to have minds of their own, maybe it's time for everyone to re-read Valentino Braitenberg's Vehicles -- Experiments in Synthetic Psychology. (MIT Press, 1984). ------------------------------ Date: Wed, 10 May 2017 07:14:36 +1000 (EST) From: Dave Horsfall <dave () horsfall org> Subject: Re: Bobby Tables and electoral fraud Jeremy Epstein wrote:
Not disputing that it's a potential threat; just for the record it appears to have been unsuccessful.
No claim was made that it was successful; in fact, upon studying the item again it was clearly intended as a joke (the SQL appears to be preceded by "pwn", which is of course cracker slang for "broke into". But yes, that was seven years ago, and as Bruce Schneier is always saying, attacks only get better over time... ------------------------------ Date: Tue, 9 May 2017 18:17:42 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Bobby Tables ... SQL injection "(Basically it injects a "DROP TABLE" command.)" And? In DB2 the running process would have to be authorised for the DROP Table action in that particular named Tablespace. How common is that? Is Drop Table less Restricted in other Relation DB Management Systems? I will concede that my experience has been that a number of IMS and CICS developers GRANT EXECUTE on DB2 Plans to PUBLIC, even though they have the option to restrict that GRANT to a particular named CICS or IMS subsystem. Even then, CREATE and DROP tablespace should involve scratch pad or work tablespaces which are intended to be used for transient data, not the same tablespaces used for long term data. The running process should not be using a DB Admin or Developer ID. I pointed out to Security Admins and Sys Admins that a GRANT to PUBLIC without limiting the scope to a named subsystem meant that programmers with a screw loose or axe to grind could invoke the program from batch, TSO... They told me that I was being too paranoid, so I applied that restriction to my own work and didn't pursue it for the entire server. My 1st 1979 IMS project involved a contractor who inspired a policy that a tape should never be sent offsite without a Group Data Security Admin signature. Years later I saw him in the middle of a Group Photo when I started a new job and asked "Oh, Does first name last name work here?". That was met with a sudden silence. I told the story of my interaction with him and was told that the 1st time he had been on the overnight on call support rotation the phone number he had given turned out to be for "Dial a Prayer". My new manager took to having me vet the names of potential hires. If I didn't recognise the name I could often dig up work related comments such as showing up after office hours when a manager was working alone, with a shotgun, to dispute work assignments. As I wrote, some folks just have a screw loose, no matter how technically brilliant they may be. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.29 ************************
Current thread:
- Risks Digest 30.29 RISKS List Owner (May 13)