RISKS-LIST: Risks-Forum Digest Monday 25 July 2011 Volume 26 : Issue 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.49.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Way backlogged. I've been very busy. Catching up. PGN] Planes collide in midair, land safely (Monty Solomon) Aviation Experts Worry About Aircraft Mishaps on the Ground (Monty Solomon) Pilots to use iPads instead of manuals (Peter Houppermans) Safety on China's Railroads (Chuck Weinstock) Toyota to recall 82,200 vehicles in the US (Monty Solomon) Don't throw away Grandma's wind-up desk clock (Danny Burstein) Electronic vote stealing in Ohio's 2004 Presidential Election (PGN) Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds (PGN) A Mouse Ate Your Network? (Ted Samson via Gene Wirchenko) Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries (Andy Greenberg via Monty Solomon) Patient alleges Tufts breached privacy (Chelsea Conaboy via Monty Solomon) Beth Israel reports potential data breach (Hiawatha Bray via Monty Solomon) Most cellphone voice mail is vulnerable to hackers (Hiawatha Bray via Monty Solomon) Staples resold devices holding consumer data (Jenn Abelson via Monty Solomon) Somebody is using my e-mail address, but I can't figure out why (Jonathan Kamens) Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter (Lauren Weinstein) Book review: Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (Ben Rothke) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 15 Jul 2011 22:12:41 -0400 From: Monty Solomon <monty_at_private> Subject: Planes collide in midair, land safely http://www.usatoday.com/news/nation/2011-07-12-alaska-planes-collide_n.htm ------------------------------ Date: Fri, 15 Jul 2011 22:12:41 -0400 From: Monty Solomon <monty_at_private> Subject: Aviation Experts Worry About Aircraft Mishaps on the Ground Aviation Experts Worry About Aircraft Mishaps on the Ground http://abcnews.go.com/Travel/BusinessTraveler/aviation-experts-worry-airport-collision-bostons-logan-international/story?id=14083446 Delta 767 winglet sheared off in Boston collision http://travel.usatoday.com/flights/post/2011/07/boston-jets-clip-collide-delta/177084/1 ------------------------------ Date: Wed, 06 Jul 2011 09:05:45 +0200 From: Peter Houppermans <peter_at_private> Subject: Pilots to use iPads instead of manuals Flaps up - check<br> iPad charged - check<br> http://www.pocket-lint.com/news/40880/pilots-swapping-manuals-for-ipads"> The Federal Aviation Administration has approved the use of iPads in the cockpits of commercial and charter aircrafts - in the US, at least. Traditionally, each plane would house a collection of bulky flight manuals, weighing up to 40-pounds. Now though, a pilot is allowed to store digital versions of the books on a tablet device. I hope they still have to keep the tree version as a non-battery dependent backup for redundancy. I also hope pilots are made to look up things in the original manuals as a regular exercise (just on the basis of observing what has happened to the map reading skills of the average car driver as a result of GPS use). There are upsides in terms of better referencing and easier information updates, but I'd be interested to see how they approached updates and maintenance. [What about in-flight real-time manual updating? PGN] ------------------------------ Date: Sun, 24 Jul 2011 14:23:04 -0400 From: Chuck Weinstock <weinstock_at_private> Subject: Safety on China's Railroads http://www.nytimes.com/2011/07/25/world/asia/25train.html The article in today's paper was somewhat different with more of an emphasis on the lack of a safety culture in China. The apparent cause was the train being struck by lightning causing it to stop. That combined with malfunctioning signaling caused the following train to rear end the first one. ------------------------------ Date: Sat, 2 Jul 2011 18:38:13 -0400 From: Monty Solomon <monty_at_private> Subject: Toyota to recall 82,200 vehicles in the US Toyota Motor Corp. said it will recall about 82,200 hybrid SUVs in the U.S. due to computer boards with possible faulty wiring. The car giant said the recall will involve Highlander and Lexus brand hybrid SUVs from its 2006 and 2007 lines. The action covers just the vehicles sold in the U.S., with no other models affected. ... *The Boston Globe*, June 29, 2011 http://www.boston.com/cars/news/articles/2011/06/29/toyota_to_recall_82200_vehicles_in_the_us/ ------------------------------ Date: Sat, 25 Jun 2011 15:03:11 -0400 (EDT) From: Danny Burstein <dannyb_at_private> Subject: Don't throw away Grandma's wind-up desk clock Power-grid experiment could confuse electric clocks [AP story via msnbc] Traffic lights, security systems and computers may be affected by frequency change as well. A yearlong experiment with America's electric grid could mess up traffic lights, security systems and some computers - and make plug-in clocks and appliances like programmable coffeemakers run up to 20 minutes fast. "A lot of people are going to have things break and they're not going to know why," said Demetrios Matsakis, head of the time service department at the U.S. Naval Observatory, one of two official timekeeping agencies in the federal government. Since 1930, electric clocks have kept time based on the rate of the electrical current that powers them. If the current slips off its usual rate, clocks run a little fast or slow. Power companies now take steps to correct it and keep the frequency of the current - and the time - as precise as possible. The group that oversees the U.S. power grid is proposing an experiment that would allow more frequency variation than it does now without corrections, according to a company presentation obtained by The Associated Press. ... The North American Electric Reliability Corp. runs the nation's interlocking web of transmission lines and power plants. A June 14 company presentation spelled out the potential effects of the change: East Coast clocks may run as much as 20 minutes fast over a year, but West Coast clocks are only likely to be off by 8 minutes. In Texas, it's only an expected speedup of 2 minutes. http://today.msnbc.msn.com/id/43532031/ns/technology_and_science-innovation/ ------------------------------ Date: Fri, 22 Jul 2011 4:49:07 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Electronic vote stealing in Ohio's 2004 Presidential Election Freepress.org: New court filing reveals how the 2004 Ohio presidential election was hacked http://www.freepress.org/departments/display/19/2011/4239 See also http://www.benzinga.com/news/11/07/1789905/forget-anonymous-evidence-suggests-gop-hacked-stole-2004-election#ixzz1Ssy99Dmv ------------------------------ Date: Wed, 29 Jun 2011 17:33:34 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds Bruce Schneier, CRYPTOGRAM: I haven't written about Dropbox's security problems; too busy with the book. But here's an excellent summary article from The Economist. http://www.economist.com/blogs/babbage/2011/05/internet_security The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext. For most people -- Gmail users, Google Docs users, Flickr users, and so on -- that's fine. For some people, it isn't. Those people should probably encrypt their files themselves before sending them into the cloud. Another security issue with Dropbox: http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/ ------------------------------ Date: Tue, 05 Jul 2011 09:52:57 -0700 From: Gene Wirchenko <genew_at_private> Subject: A Mouse Ate Your Network? http://www.infoworld.com/t/insider-threats/security-company-infects-clients-network-trojan-mouse-576 Ted Samson, InfoWorld Tech Watch, June 28, 2011 Security company infects client's network with 'Trojan mouse' By loading a USB mouse with malware and exploiting end-user blabbing, NetraGard succeeds in infecting a client's network Security consulting company NetraGard has demonstrated that something as seemingly innocuous as a USB mouse, along with tidbits of information freely available on the Internet, can provide a hacker quick and easy access to a seemingly secure IT environment. ... ------------------------------ Date: Sun, 24 Jul 2011 01:01:13 -0400 From: Monty Solomon <monty_at_private> Subject: Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries Andy Greenberg, Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries, *Forbes*, 22 Jul 2011 A pile of dead Apple laptop batteries, victims of Charlie Miller's research. Your laptop's battery is smarter than it looks. And if a hacker like security researcher Charlie Miller gets his digital hands on it, it could become more evil than it appears, too. At the Black Hat security conference in August, Miller plans to expose and provide a fix for a new breed of attack on Apple laptops that takes advantage of a little-studied weak point in their security: the chips that control their batteries. ... http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/ [Gene Wirchenko noted an item by Christina DesMarais: http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=63437 ------------------------------ Date: Fri, 15 Jul 2011 22:41:31 -0400 From: Monty Solomon <monty_at_private> Subject: Patient alleges Tufts breached privacy Patient alleges Tufts breached privacy Sues after medical history was faxed to job Chelsea Conaboy, *The Boston Globe*, 15 Jul 2011 A patient has sued Tufts Medical Center and a primary care doctor there, alleging that documents including her medical history were sent to a fax machine at her workplace without her consent. Kimberly White of Middleborough, 44, said in an interview that at least two co-workers read the records, causing her embarrassment. She filed a complaint in Plymouth County Superior Court alleging that her privacy rights were violated and seeking punitive damages. The hospital has denied wrongdoing. While recovering from a hysterectomy in December, White asked Dr. Kimberly Schelling to fax a required form related to a disability claim to White's employer. Instead, according to the court filing, four pages of White's medical records were sent to a shared fax machine in the office. ... http://www.boston.com/news/local/massachusetts/articles/2011/07/15/lawsuit_alleges_tufts_faxed_patient_records_to_workplace_without_permission/ ------------------------------ Date: Mon, 18 Jul 2011 22:54:04 -0400 From: Monty Solomon <monty_at_private> Subject: Beth Israel reports potential data breach Beth Israel reports potential data breach Hiawatha Bray, *The Boston Globe*, 18 Jul 2011 Beth Israel Deaconess Medical Center is notifying more than 2,000 of its patients that some of their personal information may have been stolen from a hospital computer. The hospital said today that an unnamed computer service vendor had failed to restore proper security settings on the computer after performing maintenance on it. The machine was later found to be infected with a computer virus, which transmitted data files to an unknown location. The computer contained medical record numbers, names, genders, and birth dates of 2,021 patients, as well as the names and dates of radiology procedures they'd undergone. But the computer didn't contain the patients' financial data or their Social Security numbers, which can be used to steal identities and defraud banks. ... http://www.boston.com/Boston/businessupdates/2011/07/beth-israel-reports-potential-data-breach/sLnihf9HOmBQDGc6GFCVTI/index.html ------------------------------ Date: Wed, 13 Jul 2011 08:34:15 -0400 From: Monty Solomon <monty_at_private> Subject: Most cellphone voice mail is vulnerable to hackers Hiawatha Bray, *The Boston Globe*, 13 Jul 2011 http://www.boston.com/business/technology/articles/2011/07/13/most_cellphone_voice_mail_is_vulnerable/ Breaking into someone's voice mailbox - in the style of the hackers at the British tabloid News of the World - can be as easy in the United States as it is on the other side of the Atlantic. It is done using a readily available online service known as "caller ID spoofing,'' which can make a call appear to be coming from any phone number. Hackers can use it to access someone else's voice mail messages by fooling the system into thinking the call is coming from the owner's cellphone. If the mailbox is not protected by a password, as is often the case, the attacker can hear and even delete messages in the target's voice mailbox. There are numerous spoofing services in the United States; all you need to do is Google them. Although these services are used by hackers to commit crimes, they're also used legitimately by, for example, battered women who do not want their calls traced, or law enforcement agents operating undercover. ... ------------------------------ Date: Sat, 2 Jul 2011 16:52:55 -0400 From: Monty Solomon <monty_at_private> Subject: Staples resold devices holding consumer data Jenn Abelson, Canada audit rips Mass.-based chain, *The Boston Globe*, 22 Jun 2011 http://www.boston.com/business/articles/2011/06/22/staples_resold_devices_holding_consumer_data/ Staples Inc. has repeatedly put consumers' data at risk in Canada by failing to wipe clean returned storage devices that contain sensitive information and are then resold. Those findings were reported yesterday following an audit by the Office of the Privacy Commissioner of Canada. The audit included tests of storage devices, including computers, USB hard drives, and memory cards that had undergone a `wipe and restore' process and were destined for resale. Of the 149 devices tested, 54 contained customer data, including "highly sensitive personal information'' such as health card and passport numbers, academic transcripts, banking information, and tax records. ``Our findings are particularly disappointing given we had already investigated two complaints against Staples involving returned data storage devices and the company had committed to taking corrective action,'' Canada's privacy commissioner, Jennifer Stoddart, said in a statement. ``While Staples did improve procedures and control mechanisms after our investigations, the audit showed those procedures and controls were not consistently applied, nor were they always effective - leaving customers' personal information at serious risk.'' ... ------------------------------ Date: Thu, 23 Jun 2011 12:40:18 -0400 From: Jonathan Kamens <jik_at_private> Subject: Somebody is using my e-mail address, but I can't figure out why A few days ago, I got e-mail from the Starwood hotel chain, thanking me=20 for contacting them. Except I hadn't. I figured it was just a spammer=20 using my e-mail address, so I ignored it. I got e-mail from Starwood asking me to clarify my service request=20 because it made no sense. They included the original request in their=20 e-mail, so I was able to see the text (which was, indeed, nonsense) as=20 well as the full name of whoever contacted them using my e-mail address.=20 I wrote back to them and told them to ignore it. Today, however, things got crazy. I got an e-mail address from Google=20 congratulating me on the creation of my new Gmail account. Except I=20 hadn't created a new account; someone else had, and specified my e-mail=20 address as the password recovery address. Thinking fast, I took advantage of that fact to take over the account=20 (the spammers and phishers aren't the only people who can play that=20 game!), so that whatever this individual was planning on doing with it,=20 they won't be able to. After doing so, I was able to confirm that the=20 full name they gave to Google when creating the Gmail account matches=20 the name they gave to Starwood, so it seems likely that either the same=20 person or two people working together did both things. The thing is, I can't figure out what this person or persons hope to=20 gain with what they are doing, and that concerns me. I can't imagine=20 they'd be doing it if there weren't something to gain, and I can't help=20 but worry that if it helps them, it'll hurt me. ... more details about this on my blog at http://blog.kamens.us/?p=2258. If anybody has any ideas about what's going on here, I'd sure love to hear them (sent to me or RISKS via email or posted as comments on my blog). ------------------------------ Date: Tue, 5 Jul 2011 14:23:34 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter http://lauren.vortex.com/archive/000877.html Here in the U.S., we've just celebrated our Fourth of July holiday -- Independence Day. It's actually rather complex in nature, a celebration not only of revolution and independence, but also of our foundational documents, the Constitution and the first ten amendments to the Constitution, the Bill of Rights. These are remarkable written works from many standpoints. We have not always been true to their ideals. But the men who wrote them were able to create proclamations that have remained relevant for almost two and half centuries, through our evolution from agrarian society to a technological nation beyond the wildest imaginations of virtually anyone living at the time (except, perhaps, my personal hero, Benjamin Franklin!) The Bill of Rights and Constitution together suggest an ethical path for this country, but no documents, no laws, can successfully legislate ethics or morality. We can ban government interference in free speech, as does the First Amendment, but we cannot assure that freedoms will be wisely used. This is in the nature of laws, men, and women throughout history. Still, it's difficult not to feel disappointed when our ideals are subverted for commercial gain, and during this past holiday two examples of this were thrust into the media. As I criticized yesterday, Microsoft has now formally partnered with Chinese search giant Baidu to provide Chinese government-censored English language search results in China ( http://j.mp/kYyGO2 [Lauren's Blog] ). And now comes word that Cisco will be providing the networking gear for a massive Chinese surveillance system, that will almost certainly be used primarily to target political dissent. Perhaps most alarming in this case is the reaction of Cisco to questions about the ethics of the contract. "It's not my job to really understand what they're going to use it for," was the reaction of Cisco's executive VP in charge of their China strategy. I know I'm not the only observer invoking the lyrics of the great satirist Tom Lehrer regarding Wernher von Braun in this context: "'Once the rockets are up, who cares where they come down? That's not my department', says Wernher von Braun." Nor am I the only one who remembers the dark history of IBM's involvement with Nazi Germany in the name of technology sales bottom lines ( http://j.mp/j3JX7O [CNET] ). A common meme is that corporations are amoral, unconcerned with ethics, uninterested in anything but maximizing profits. This is sadly often true, but certainly is not always the case. Yes, questions of ethics and business are complex, and different situations may be easily confused. For example, if a company chooses to do business in a particular country, they must obey that country's laws. They can challenge what they don't feel is appropriate, but ultimately if they don't obey the laws they will very likely be subjected to sanctions of some sort, civil and/or even criminal in nature. And they may be denied access to those countries entirely. Yet companies can also choose not to extend their products and services into countries where laws and government actions are obviously in conflict with our own ethical considerations. Firms can choose ethics over profits, if they care enough about the former, not just the latter. And so we saw Google's decision to stop censoring its search results in China -- censorship demanded by the Chinese government -- after a period of compliance during which Google hoped Chinese sensibilities about access to knowledge -- and freedom of speech -- would improve, a test that China unfortunately failed. Google initially and understandably gave China the benefit of the doubt. Yet China -- and I'm speaking of the Chinese government, not the people themselves -- then chose to be even more belligerent on these issues, not less. Google rightly made the decision that in light of these developments, participation in China's censorship regime was not good for the Chinese people or for Google, and ceased participation. Google made the ethically correct choice, one that should be roundly congratulated. In light of this, it's difficult to accept Microsoft's new move to not only provide censored search services in China, but to go one giant step farther and actually partner with the Chinese search giant Baidu within the Chinese censorship regime. By this action, Microsoft allies itself directly with the Chinese government's information oppression, and becomes not just a bit player in that regime, but a full-fledged comrade in censorship. Microsoft can't claim ignorance of China's modus operandi in these regards. Not only the Google experience dealing with China and search, but other recent Chinese activities, have provided concrete examples. So without a doubt, money has won out over ethics for Microsoft when it comes to China. No excuses, no mitigating circumstances. And similarly for Cisco. Like IBM and their dealings with German National Socialism in the WWII era, Cisco appears to be purposely, directly, and explicitly "averting its eyes" from knowledge of how its technologies will certainly be abused. It can indeed be argued that our actions as a nation have not always been in keeping with the ideals and hopes of our Founding Fathers. Our government and businesses -- and we the people -- are not perfect. Nobody is. But the fulfillment of our ideals is ultimately a tapestry of individual actions at all levels, and past mistakes do not justify present or future unethical behaviors. This applies not only to each of us, but also to our governments, to Microsoft, to Cisco, and to every other corporation and organization. While Microsoft's and Cisco's couplings with China may reap benefits for their shareholders, these specific dealings are still a fundamental betrayal of ethics, and of our fundamental values -- especially given what we know today about Chinese government behaviors and reactions in these realms at this time. The Chinese people are not our enemies. And in the long run, a closer relationship between China and the U.S. would be of immense value to both countries. But an ethical path to that goal cannot be reasonably paved with direct U.S. entanglements with the most oppressive aspects of China's government today. An unethical path merely serves to help perpetuate those very abuses that most slow any progress toward our best and finest aspirations. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren [PGN-ed] People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com ------------------------------ Date: Thu, 14 Jul 2011 08:31:10 -0400 From: Ben Rothke <brothke_at_private> Subject: Book review: Surveillance or Security?: The Risks Posed by New Wiretapping Technologies Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is a hard book to categorize. It is not about security, but it deals extensively with it. It is not a law book, but legal topics are pervasive throughout the book. It is not a telecommunications book, but extensively details telco issues. Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times. My full review of this excellent book is at: https://365.rsaconference.com/blogs/securityreading/2011/07/08/surveillance-or-security-the-risks-posed-by-new-wiretapping-technologies http://www.amazon.com/gp/product/0262015307/ref=as_li_ss_tl?ie=UTF8&tag=benrothkswebp-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=0262015307 ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.49 ************************Received on Mon Jul 25 2011 - 17:49:15 PDT
This archive was generated by hypermail 2.2.0 : Mon Jul 25 2011 - 23:33:17 PDT