[RISKS] Risks Digest 26.62

From: RISKS List Owner <risko_at_private>
Date: Fri, 18 Nov 2011 15:30:03 PST
RISKS-LIST: Risks-Forum Digest  Friday 18 November 2011  Volume 26 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.62.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
U.S. water plants reportedly hit by cyber attacks (Gene Wirchenko)
Remotely Opening Prison Doors (Bruce Schneier)
Digital surveillance camera held sensitive unrelated photos (Mark Brader)
The government is going overboard in Internet copyright control (Vint Cerf)
"Who Decides Who You Are Online?" (Somini Sengupta)
Facebook's tracking of other Web site visits under fire (USA Today)
How Google, by voluntarily implementing facial blurring... (jidanni)
"Coming conundrum: Malware signed by a legitimate developer" (Robert Lemos)
Standard and Poor's and France's credit (Mark Brader)
Congress Declares War on the Global Internet - Internet Replies "Bring It On!"
  (Lauren Weinstein)
Insider fraud (Michael Lee)
Re: ANA plane goes nearly belly up ... wrong knob turned (Tony B Atkinson)
Re: The Coming Fascist Internet (Mike Smith)
Does this icon mean YES or NO? (jidanni)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 18 Nov 2011 11:33:37 -0800
From: Gene Wirchenko <genew_at_private>
Subject: Update: U.S. water plants reportedly hit by cyber attacks

Robert Lemos, *InfoWorld*, 18 Nov 2011
Update: U.S. water plants reportedly hit by cyber attacks
In separate incidents, hackers allegedly caused a water pump failure at an
Illinois utility and showed off purported access to water supply systems for
a Texas city
http://www.infoworld.com/t/network-security/us-water-plants-reportedly-hit-cyber-attacks-179456

opening text:

Security experts have long worried that a knowledgeable hacker could damage
the critical infrastructure that supplies power, water, and other utilities
to U.S. citizens. The few incidents of cyber attacks on utilities, where
details became public, have underscored the danger while at the same time
signaling that such attacks may not be common.

Two events this week may change that perception.

------------------------------

Date: Tue, 15 Nov 2011 01:42:55 -0600
From: Bruce Schneier <schneier_at_private>
Subject: Remotely Opening Prison Doors (CRYPTO-GRAM, November 15, 2011)

Bruce Schneier, Chief Security Technology Officer, BT, schneier_at_private
http://www.schneier.com, PGN-excerpted from CRYPTO-GRAM, 15 Nov 2011,

Researchers have found a vulnerability in computer-controlled prison-door
systems that allows them to be remotely opened over the Internet.  This
assumes that they're connected to the Internet in the first place, which
some of them are.

The weirdest part of the article was this last paragraph.

  "You could open every cell door, and the system would be telling the
  control room they are all closed," Strauchs, a former CIA operations
  officer, told the Times. He said that he thought the greatest threat was
  that the system would be used to create the conditions needed for the
  assassination of a target prisoner.

I guess that's a threat.  But the *greatest* threat?

http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-ability-to-open-prison-cells-from-afar.ars
or http://tinyurl.com/7533eze

The original paper:
http://www.google.co.uk/url?sa=t&rct=j&q=tiffany%20rad%2C%20teague%20newman%2C%20and%20john%20strauchs&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fwww.exploit-db.com%2Fdownload_pdf%2F17979%2F&ei=iznBTtzMLsew8gPLxNSfBA&usg=AFQjCNFwfgrkcWZC2Cg5R2FgNpSLd24orQ&sig2=Oz90YVa4SCdCeErXfKc_EQ
or http://tinyurl.com/ccvjl7q

------------------------------

Date: Wed, 16 Nov 2011 17:54:50 -0500 (EST)
From: msb_at_private (Mark Brader)
Subject: Digital surveillance camera held sensitive unrelated photos

In Grand Forks, BC, Canada, Dion Nordick saw a camera flash outside
his home, and found two surveillance cameras on poles overlooking
the place.  They belong to the RCMP (Royal Canadian Mounted Police),
who Nordick thinks suspect him of graffiti and/or drug offenses.

Nordick took the cameras down and looked at the pictures taken.
And he found that one camera held large numbers of photos related
to unrelated incidents, taken before it was placed there.  Among
other things, there were photos of a woman in her underwear,
showing her bruise-covered body; also drug busts and suicides.

Even if the RCMP is right when they say that the cameras were legally
placed on public property and Nordick's action is a theft, it still
seems as though they could have done a better job as regards
protecting the privacy of those photos.

http://www.cbc.ca/news/canada/british-columbia/story/2011/11/15/bc-rcmp-surveillance-cameras-found.html

------------------------------

Date: Mon, 14 Nov 2011 16:20:57 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: The government is going overboard in Internet copyright control
  (Vint Cerf)

Vint Cerf: The government is going overboard in Internet copyright control
http://j.mp/vwooUt  (VentureBeat)

  "When asked what he would tell the developer of the Next Big Thing, the
  technology that could replace the Internet, Cerf said, "Shoot the patent
  lawyer."  The room, which was full of chief information officers for
  large, proprietary companies, burst into both laughter and applause.  Cerf
  continued, "Bob [Kahn] and I knew we could not succeed if we tried to
  protect the Internet's design. As it turns out that worked out really
  well, and I think that's still pretty good advice."  Cerf also spoke out
  against the Department of Homeland Security's recent seizures of websites,
  such as last year's seizure of scores of music sites and communities for
  copyright violations, which he called "a blunt instrument that can and
  should be exercised much more carefully."

------------------------------

Date: Mon, 14 Nov 2011 15:31:55 -0800
From: Lauren Weinstein
Subject: "Who Decides Who You Are Online?" (Somini Sengupta)

  "As the Internet becomes the place for all kinds of transactions, from
  buying shoes to overthrowing despots, an increasingly vital debate is
  emerging over how people represent and reveal themselves on the Web sites
  they visit. One side envisions a system in which you use a sort of digital
  passport, bearing your real name and issued by a company like Facebook, to
  travel across the Internet. Another side believes in the right to don
  different hats - and sometimes masks - so you can consume and express what
  you want, without fear of offline repercussions.  The argument over
  pseudonyms - known online as the "nym wars" - goes to the heart of how the
  Internet might be organized in the future.  Major Internet companies like
  Google, Facebook and Twitter have a valuable stake in this debate - and,
  in some cases, vastly different corporate philosophies on the issue that
  signal their own ambitions."  http://j.mp/s9UcL0

    [This quote is excerpted from a long article by Somini Sengupta, *The
    New York Times*, 14 Nov 2011, entitled Rushdie Runs Afoul of Web's
    Real-Name Police, which google headlines as "Rushdie Wins Facebook
    Fight Over Identity".  PGN]

------------------------------

Date: Wed, 16 Nov 2011 17:02:35 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Facebook's tracking of other Web site visits under fire (NNSquad)

Facebook's tracking of other Web site visits under fire

http://j.mp/rPOKmj  (USA Today)

  "Facebook officials are now acknowledging that the social media giant has
  been able to create a running log of the web pages that each of its 800
  million or so members has visited during the previous 90 days.  Facebook
  also keeps close track of where millions more non-members of the social
  network go on the Web, after they visit a Facebook web page for any
  reason."

------------------------------

Date: Wed, 16 Nov 2011 06:44:30 +0800
From: jidanni_at_private
Subject: How Google, by voluntarily implementing facial blurring...

"It is also a case study of how Google, by voluntarily implementing
facial blurring in its relatively new but hugely popular Street View
automated 360-degree panoramas, created norms in the minds of regulators
that they are now eager to set in stone legally."

Why don't they also blur pets while they are at it?

http://dliberation.org/2011/11/11/in-slovenia-panoramic-photography-comes-under-regulatory-attack/

------------------------------

Date: Fri, 18 Nov 2011 10:13:08 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Coming conundrum: Malware signed by a legitimate developer"

Robert Lemos, *InfoWorld*, 17 Nov 2011
Coming conundrum: Malware signed by a legitimate developer
Cyber criminals are stealing code-signing certificates, allowing
their malware to get by some defenses
http://www.infoworld.com/t/application-security/coming-conundrum-malware-signed-legitimate-developer-179376

selected text:

Signed code has become one of the common measures used to secure various
computing platforms.

Yet cyber criminals and other attackers are starting to use signed code to
evade security measures by stealing legitimate certificates from software
developers, then using the certificates to sign their malicious programs.

In 2009, the company [AVG] detected about 30,000 malicious programs signed
with legitimate -- albeit stolen or fraudulently issued -- certificates. The
next year, that number increased by a third and is on track to triple in
2011.

------------------------------

Date: Wed, 16 Nov 2011 18:01:31 -0500 (EST)
From: msb_at_private (Mark Brader)
Subject: Standard and Poor's and France's credit

You've probably received submissions about the incident last week when
it appeared, due to a technical error, that Standard and Poor's had
downgraded France's national credit rating.

Here's what happened:

   http://online.wsj.com/article/BT-CO-20111111-712287.html

In case the link does not remain valid, the key part reads:

|  Friday, S&P said the mistake arose because it had placed France's banking
|  industry country risk assessment, which is not a credit rating, in its
|  online portal last December to test a method of displaying the information
|  on individual pages.  The ratings service used France's banking risk
|  assessment to test the change but did not enter the other 85 country
|  rankings in the same way.
|
|  That difference prompted the item on France's status to display N/A, or
|  not available, on S&P's Global Credit Portal page when it went live
|  Thursday, which triggered its system to interpret the change as a
|  downgrade.

------------------------------

Date: Wed, 16 Nov 2011 13:19:00 -0800 (PST)
From: lauren_at_private
Subject: Congress Declares War on the Global Internet - Internet Replies
  "Bring It On!"

 Lauren Weinstein's Blog Update: Congress Declares War on the Global
 Internet - Internet Replies "Bring It On!", 16 Nov 2011
 http://lauren.vortex.com/archive/000912.html

In my previous posting, The Coming Fascist Internet, I explained how
government moves to control and censor the Internet, including
hypocritically by the U.S. -- are pointing to an Internet future that can
quite reasonably be equated with fascism.  Strong words I know, but
unfortunately true ones.

If you needed more proof, you only needed to observe today's Congressional
hearing on SOPA (Stop Online Privacy Act), which was much more akin to a
lynch mob, or a scene from dictator's kangaroo court, than a honest attempt
to explore the issues.

The hearing was stacked with SOPA proponents whose goal is simple -- get the
entire Internet around the world under the boot of U.S.-ordered censorship
and total control.

The only real anti-SOPA witness the House Judiciary Committee permitted
was Katherine Oyama of Google, and the Committee overall treated her
with the kind of <a
href="http://arstechnica.com/tech-policy/news/2011/11/at-web-censorship
-hearing-congress-guns-for-pro-pirate-google.ars">unfairness and
contempt</a> that make everyday bullies and criminals look like rank
amateurs.

It was a disgusting display by Congress, and a clear signal of how our
leaders (from both parties) are hellbent on destroying Internet freedoms as
we know them today.

If this all weren't so deadly serious, there would almost be comical
aspects.  The MPAA, faced with complaints that SOPA (and the similar
legislation on the Senate side -- PIPA [PROTECT IP]) would break DNSSEC,
merrily suggested that it simply should be rewritten so that government
censorship orders could be easily implemented.

That the MPAA would make asinine comments like that is actually easy to
understand.  After all, they view the entire world as simply a film script
to be sent out for rewrites on demand.  And since their real goal (along
with various of their brethren) is to rewrite technology to protect their
traditional profit centers -- civil rights be damned -- we should not be
surprised when they treat the entire planet like extras to be ordered around
like slaves.

So Congress wants to declare War.  Judging from my email, the Internet is
champing at the bit for battle.

I have never before seen such a flood of messages ranging from "I'm
terrified for our future" to "What can we do?" to "Here are my ideas for
fighting back."

It's certain that this war could bring with it many causalities.  Network
fragmentation in various forms is an obvious example, since the rest of the
world seems unwilling (surprise!) to allow the U.S. to keep dictating
Internet policy forever, especially when the U.S. want to use its skewed
control over the DNS (Domain Name System) as a judge, jury, and executioner
baton to beat other countries' sensibilities to a pulp.

All manner of "workarounds" to such censorship are being proposed, many
extremely intriguing, most of which would actually be illicit under the
anti-circumvention provisions of SOPA. There's been a massive increase in
queries regarding my proposed distributed Internet naming system (<a
href="http://lauren.vortex.com/archive/000787.html">IDONS</a>), but this is
a long-term proposal, not a weapon for the immediate battles at hand.

Still, it is apparent that if Congress proceeds along their current path of
trying to dictatorially censor sites, search engines, and other aspects of
Internet operations, they will be setting loose the technological dogs of
war in ways that are beyond the scope of their darkest nightmares, and that
make "Anonymous" and the "Occupy" movement look like fleas on an elephant by
comparison.

That isn't a threat.  It's a prediction.  It's a prediction made with the
hope (though admittedly not the expectation) that Congress will step back
from the precipice that leads to the destruction of the Internet in the form
that has brought freedom of communication to the world, to a degree and in
manners never before imagined.

Congress' approach to dealing with the issues of piracy is to figuratively
use hydrogen bombs as a palliative measure -- cities reduced to rubble won't
have much of a piracy problem.

But in the real world of the Net, the technological means to fight such a
war are remarkably well distributed among Internet users at large.  It seems
as if the Congressional push for SOPA/PIPA reveals an utter cluelessness by
Congress regarding what is actually about to be unleashed.

If Congress really wants to go to war against the Internet, they'll have
their war.  But it will be like nothing the world has ever seen before.  You
can count on it.

------------------------------

Date: Fri, 18 Nov 2011 8:26:04 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Insider fraud (Michael Lee)

Michael Lee, ZDNet, 17 Nov 2011, ZDNet.com.au <http://ZDNet.com.au>
http://www.zdnet.com.au/wealthy-staff-not-hackers-often-thieves-339326370.htm
  [Item thanks to Jeremy Epstein.  PGN]

Companies are being duped more by their own employees than by external
hackers when it comes to cyber fraud, according to KPMG Forensic associate
director Stan Gallo, and those employees are often high earners.

Gallo presented his talk on corporate identity theft and fraud at Attachmate
Group's A Powerful Connection 2011 event today in Sydney, revealing that the
typical fraudster isn't your average, scruffy-looking bedroom hacker, but
more likely an insider within the corporation.

In 65 per cent of all fraud cases, insiders tap into an organisation's IT
systems, secretly siphoning off money from the company, or selling
intellectual property.

One example that Gallo provided was a mother who helped herself to $1.2
million on top of her $40,000 salary by gaming the company's invoicing
system. Working in the accounts-payable department of the company, she
noticed that payment details were being stored on a shared network
drive. After editing the file to fill her own account, she would wait until
repeat invoices would be issued, and then abuse her position to approve the
payment, hiding it among the other several thousand payments that the
company made to cover her tracks.

Although the average amount stolen in Australia was $229,000 per incident,
Gallo said that women tended to steal much more than men. Yet, in general,
the thefts were more likely to have been perpetrated by a man.  [...]

------------------------------

Date: Wed, 16 Nov 2011 17:24:01 +0000
From: Tony B Atkinson <tony.atkinson_at_private>
Subject: Re: ANA plane goes nearly belly up ... wrong knob turned (Disdale,
  RISKS-26.61)

Pete Disdale <risks_at_private>writes

> I ... find this astonishing. I had always believed that flight deck
  controls (knobs, levers etc.) were required to be "different" -
  i.e. different colours, shapes - in order to avoid or minimise any
  confusion by the pilot."

In fact, the two knobs are distinctly different in size and shape. You can
see a photo at www.tinyurl.com/humanfactorsblog .

The flightdeck illustrated has the two controls adjacent. I believe that on
the ANA control pedestal the knobs are slightly further apart, but still
pretty close. The pilot has to reach behind him to access the control, it's
effectively out of his line of sight. Distinguishing the control is probably
done by feel most of the time. Incident waiting to happen really. As has
been pointed out, the cabin door lock may be a retrofit or post-original
design. It would have been better to use a different 'affordance' for the
door lock and also to make the rudder control something like a 'push and
twist'.

Ahh, the benefit of hindsight.

Tony Atkinson, Process Safety Consultant (Human Factors)

------------------------------

Date: Tue, 15 Nov 2011 10:43:40 -0500
From: "Smith, Mike" <msmith_at_private>
Subject: Re: The Coming Fascist Internet (Weinstein, RISKS-26.61)

It seems to me there are some competing interests here.  Just to focus on
the intellectual property issue, I note two clauses in the Universal
Declaration of Human Rights (http://www.un.org/en/documents/udhr/):

Article 19: Everyone has the right to freedom of opinion and expression;
this right includes freedom to hold opinions without interference and to
seek, receive and impart information and ideas through any media and
regardless of frontiers.

Article 27(2): Everyone has the right to the protection of the moral and
material interests resulting from any scientific, literary or artistic
production of which he is the author.

Does Article 19 give one the right to receive and impart someone else's
scientific, literary or artistic productions without regard to the author's
moral and material interests?  That seems to be what Lauren is advocating.
I'm not so sure.  And if governments and other entities that operate the
communications media are not to provide the protection to which authors of
bit-based products are entitled under 27(2), then who is?

How about Article 29(2)?: In the exercise of his rights and freedoms,
everyone shall be subject only to such limitations as are determined by law
solely for the purpose of securing due recognition and respect for the
rights and freedoms of others and of meeting the just requirements of
morality, public order and the general welfare in a democratic society.

Ah.  There are legitimate reasons for passing laws to limit certain rights
in order to protect other rights.  We can debate the extent of those
limitations, but not that some limitations are, in fact, necessary.

Mike Smith, CISSP, Senior IT Security Engineer, AEPOS Technologies Corporation
(613) 237-3022 www.aepos.com

------------------------------

Date: Mon, 14 Nov 2011 13:57:21 +0800
From: jidanni_at_private
Subject: Does this icon mean YES or NO?

[(Smørgrav, RISKS-26.61)]
> replacing text buttons with non-obvious icons

Every day, all over the Internet, like some kind of game.  Fortunately being
a computer wiz, I can look into the HTML source of such web pages to find
what the names of the icons being used are, e.g., YES.gif, NO.gif. Wouldn't
want to click on Mr. WRONG.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.62
************************
Received on Fri Nov 18 2011 - 15:30:03 PST

This archive was generated by hypermail 2.2.0 : Fri Nov 18 2011 - 21:07:04 PST