RISKS-LIST: Risks-Forum Digest Friday 18 November 2011 Volume 26 : Issue 62 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.62.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: U.S. water plants reportedly hit by cyber attacks (Gene Wirchenko) Remotely Opening Prison Doors (Bruce Schneier) Digital surveillance camera held sensitive unrelated photos (Mark Brader) The government is going overboard in Internet copyright control (Vint Cerf) "Who Decides Who You Are Online?" (Somini Sengupta) Facebook's tracking of other Web site visits under fire (USA Today) How Google, by voluntarily implementing facial blurring... (jidanni) "Coming conundrum: Malware signed by a legitimate developer" (Robert Lemos) Standard and Poor's and France's credit (Mark Brader) Congress Declares War on the Global Internet - Internet Replies "Bring It On!" (Lauren Weinstein) Insider fraud (Michael Lee) Re: ANA plane goes nearly belly up ... wrong knob turned (Tony B Atkinson) Re: The Coming Fascist Internet (Mike Smith) Does this icon mean YES or NO? (jidanni) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 18 Nov 2011 11:33:37 -0800 From: Gene Wirchenko <genew_at_private> Subject: Update: U.S. water plants reportedly hit by cyber attacks Robert Lemos, *InfoWorld*, 18 Nov 2011 Update: U.S. water plants reportedly hit by cyber attacks In separate incidents, hackers allegedly caused a water pump failure at an Illinois utility and showed off purported access to water supply systems for a Texas city http://www.infoworld.com/t/network-security/us-water-plants-reportedly-hit-cyber-attacks-179456 opening text: Security experts have long worried that a knowledgeable hacker could damage the critical infrastructure that supplies power, water, and other utilities to U.S. citizens. The few incidents of cyber attacks on utilities, where details became public, have underscored the danger while at the same time signaling that such attacks may not be common. Two events this week may change that perception. ------------------------------ Date: Tue, 15 Nov 2011 01:42:55 -0600 From: Bruce Schneier <schneier_at_private> Subject: Remotely Opening Prison Doors (CRYPTO-GRAM, November 15, 2011) Bruce Schneier, Chief Security Technology Officer, BT, schneier_at_private http://www.schneier.com, PGN-excerpted from CRYPTO-GRAM, 15 Nov 2011, Researchers have found a vulnerability in computer-controlled prison-door systems that allows them to be remotely opened over the Internet. This assumes that they're connected to the Internet in the first place, which some of them are. The weirdest part of the article was this last paragraph. "You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner. I guess that's a threat. But the *greatest* threat? http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-ability-to-open-prison-cells-from-afar.ars or http://tinyurl.com/7533eze The original paper: http://www.google.co.uk/url?sa=t&rct=j&q=tiffany%20rad%2C%20teague%20newman%2C%20and%20john%20strauchs&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fwww.exploit-db.com%2Fdownload_pdf%2F17979%2F&ei=iznBTtzMLsew8gPLxNSfBA&usg=AFQjCNFwfgrkcWZC2Cg5R2FgNpSLd24orQ&sig2=Oz90YVa4SCdCeErXfKc_EQ or http://tinyurl.com/ccvjl7q ------------------------------ Date: Wed, 16 Nov 2011 17:54:50 -0500 (EST) From: msb_at_private (Mark Brader) Subject: Digital surveillance camera held sensitive unrelated photos In Grand Forks, BC, Canada, Dion Nordick saw a camera flash outside his home, and found two surveillance cameras on poles overlooking the place. They belong to the RCMP (Royal Canadian Mounted Police), who Nordick thinks suspect him of graffiti and/or drug offenses. Nordick took the cameras down and looked at the pictures taken. And he found that one camera held large numbers of photos related to unrelated incidents, taken before it was placed there. Among other things, there were photos of a woman in her underwear, showing her bruise-covered body; also drug busts and suicides. Even if the RCMP is right when they say that the cameras were legally placed on public property and Nordick's action is a theft, it still seems as though they could have done a better job as regards protecting the privacy of those photos. http://www.cbc.ca/news/canada/british-columbia/story/2011/11/15/bc-rcmp-surveillance-cameras-found.html ------------------------------ Date: Mon, 14 Nov 2011 16:20:57 -0800 From: Lauren Weinstein <lauren_at_private> Subject: The government is going overboard in Internet copyright control (Vint Cerf) Vint Cerf: The government is going overboard in Internet copyright control http://j.mp/vwooUt (VentureBeat) "When asked what he would tell the developer of the Next Big Thing, the technology that could replace the Internet, Cerf said, "Shoot the patent lawyer." The room, which was full of chief information officers for large, proprietary companies, burst into both laughter and applause. Cerf continued, "Bob [Kahn] and I knew we could not succeed if we tried to protect the Internet's design. As it turns out that worked out really well, and I think that's still pretty good advice." Cerf also spoke out against the Department of Homeland Security's recent seizures of websites, such as last year's seizure of scores of music sites and communities for copyright violations, which he called "a blunt instrument that can and should be exercised much more carefully." ------------------------------ Date: Mon, 14 Nov 2011 15:31:55 -0800 From: Lauren Weinstein Subject: "Who Decides Who You Are Online?" (Somini Sengupta) "As the Internet becomes the place for all kinds of transactions, from buying shoes to overthrowing despots, an increasingly vital debate is emerging over how people represent and reveal themselves on the Web sites they visit. One side envisions a system in which you use a sort of digital passport, bearing your real name and issued by a company like Facebook, to travel across the Internet. Another side believes in the right to don different hats - and sometimes masks - so you can consume and express what you want, without fear of offline repercussions. The argument over pseudonyms - known online as the "nym wars" - goes to the heart of how the Internet might be organized in the future. Major Internet companies like Google, Facebook and Twitter have a valuable stake in this debate - and, in some cases, vastly different corporate philosophies on the issue that signal their own ambitions." http://j.mp/s9UcL0 [This quote is excerpted from a long article by Somini Sengupta, *The New York Times*, 14 Nov 2011, entitled Rushdie Runs Afoul of Web's Real-Name Police, which google headlines as "Rushdie Wins Facebook Fight Over Identity". PGN] ------------------------------ Date: Wed, 16 Nov 2011 17:02:35 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Facebook's tracking of other Web site visits under fire (NNSquad) Facebook's tracking of other Web site visits under fire http://j.mp/rPOKmj (USA Today) "Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason." ------------------------------ Date: Wed, 16 Nov 2011 06:44:30 +0800 From: jidanni_at_private Subject: How Google, by voluntarily implementing facial blurring... "It is also a case study of how Google, by voluntarily implementing facial blurring in its relatively new but hugely popular Street View automated 360-degree panoramas, created norms in the minds of regulators that they are now eager to set in stone legally." Why don't they also blur pets while they are at it? http://dliberation.org/2011/11/11/in-slovenia-panoramic-photography-comes-under-regulatory-attack/ ------------------------------ Date: Fri, 18 Nov 2011 10:13:08 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Coming conundrum: Malware signed by a legitimate developer" Robert Lemos, *InfoWorld*, 17 Nov 2011 Coming conundrum: Malware signed by a legitimate developer Cyber criminals are stealing code-signing certificates, allowing their malware to get by some defenses http://www.infoworld.com/t/application-security/coming-conundrum-malware-signed-legitimate-developer-179376 selected text: Signed code has become one of the common measures used to secure various computing platforms. Yet cyber criminals and other attackers are starting to use signed code to evade security measures by stealing legitimate certificates from software developers, then using the certificates to sign their malicious programs. In 2009, the company [AVG] detected about 30,000 malicious programs signed with legitimate -- albeit stolen or fraudulently issued -- certificates. The next year, that number increased by a third and is on track to triple in 2011. ------------------------------ Date: Wed, 16 Nov 2011 18:01:31 -0500 (EST) From: msb_at_private (Mark Brader) Subject: Standard and Poor's and France's credit You've probably received submissions about the incident last week when it appeared, due to a technical error, that Standard and Poor's had downgraded France's national credit rating. Here's what happened: http://online.wsj.com/article/BT-CO-20111111-712287.html In case the link does not remain valid, the key part reads: | Friday, S&P said the mistake arose because it had placed France's banking | industry country risk assessment, which is not a credit rating, in its | online portal last December to test a method of displaying the information | on individual pages. The ratings service used France's banking risk | assessment to test the change but did not enter the other 85 country | rankings in the same way. | | That difference prompted the item on France's status to display N/A, or | not available, on S&P's Global Credit Portal page when it went live | Thursday, which triggered its system to interpret the change as a | downgrade. ------------------------------ Date: Wed, 16 Nov 2011 13:19:00 -0800 (PST) From: lauren_at_private Subject: Congress Declares War on the Global Internet - Internet Replies "Bring It On!" Lauren Weinstein's Blog Update: Congress Declares War on the Global Internet - Internet Replies "Bring It On!", 16 Nov 2011 http://lauren.vortex.com/archive/000912.html In my previous posting, The Coming Fascist Internet, I explained how government moves to control and censor the Internet, including hypocritically by the U.S. -- are pointing to an Internet future that can quite reasonably be equated with fascism. Strong words I know, but unfortunately true ones. If you needed more proof, you only needed to observe today's Congressional hearing on SOPA (Stop Online Privacy Act), which was much more akin to a lynch mob, or a scene from dictator's kangaroo court, than a honest attempt to explore the issues. The hearing was stacked with SOPA proponents whose goal is simple -- get the entire Internet around the world under the boot of U.S.-ordered censorship and total control. The only real anti-SOPA witness the House Judiciary Committee permitted was Katherine Oyama of Google, and the Committee overall treated her with the kind of <a href="http://arstechnica.com/tech-policy/news/2011/11/at-web-censorship -hearing-congress-guns-for-pro-pirate-google.ars">unfairness and contempt</a> that make everyday bullies and criminals look like rank amateurs. It was a disgusting display by Congress, and a clear signal of how our leaders (from both parties) are hellbent on destroying Internet freedoms as we know them today. If this all weren't so deadly serious, there would almost be comical aspects. The MPAA, faced with complaints that SOPA (and the similar legislation on the Senate side -- PIPA [PROTECT IP]) would break DNSSEC, merrily suggested that it simply should be rewritten so that government censorship orders could be easily implemented. That the MPAA would make asinine comments like that is actually easy to understand. After all, they view the entire world as simply a film script to be sent out for rewrites on demand. And since their real goal (along with various of their brethren) is to rewrite technology to protect their traditional profit centers -- civil rights be damned -- we should not be surprised when they treat the entire planet like extras to be ordered around like slaves. So Congress wants to declare War. Judging from my email, the Internet is champing at the bit for battle. I have never before seen such a flood of messages ranging from "I'm terrified for our future" to "What can we do?" to "Here are my ideas for fighting back." It's certain that this war could bring with it many causalities. Network fragmentation in various forms is an obvious example, since the rest of the world seems unwilling (surprise!) to allow the U.S. to keep dictating Internet policy forever, especially when the U.S. want to use its skewed control over the DNS (Domain Name System) as a judge, jury, and executioner baton to beat other countries' sensibilities to a pulp. All manner of "workarounds" to such censorship are being proposed, many extremely intriguing, most of which would actually be illicit under the anti-circumvention provisions of SOPA. There's been a massive increase in queries regarding my proposed distributed Internet naming system (<a href="http://lauren.vortex.com/archive/000787.html">IDONS</a>), but this is a long-term proposal, not a weapon for the immediate battles at hand. Still, it is apparent that if Congress proceeds along their current path of trying to dictatorially censor sites, search engines, and other aspects of Internet operations, they will be setting loose the technological dogs of war in ways that are beyond the scope of their darkest nightmares, and that make "Anonymous" and the "Occupy" movement look like fleas on an elephant by comparison. That isn't a threat. It's a prediction. It's a prediction made with the hope (though admittedly not the expectation) that Congress will step back from the precipice that leads to the destruction of the Internet in the form that has brought freedom of communication to the world, to a degree and in manners never before imagined. Congress' approach to dealing with the issues of piracy is to figuratively use hydrogen bombs as a palliative measure -- cities reduced to rubble won't have much of a piracy problem. But in the real world of the Net, the technological means to fight such a war are remarkably well distributed among Internet users at large. It seems as if the Congressional push for SOPA/PIPA reveals an utter cluelessness by Congress regarding what is actually about to be unleashed. If Congress really wants to go to war against the Internet, they'll have their war. But it will be like nothing the world has ever seen before. You can count on it. ------------------------------ Date: Fri, 18 Nov 2011 8:26:04 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Insider fraud (Michael Lee) Michael Lee, ZDNet, 17 Nov 2011, ZDNet.com.au <http://ZDNet.com.au> http://www.zdnet.com.au/wealthy-staff-not-hackers-often-thieves-339326370.htm [Item thanks to Jeremy Epstein. PGN] Companies are being duped more by their own employees than by external hackers when it comes to cyber fraud, according to KPMG Forensic associate director Stan Gallo, and those employees are often high earners. Gallo presented his talk on corporate identity theft and fraud at Attachmate Group's A Powerful Connection 2011 event today in Sydney, revealing that the typical fraudster isn't your average, scruffy-looking bedroom hacker, but more likely an insider within the corporation. In 65 per cent of all fraud cases, insiders tap into an organisation's IT systems, secretly siphoning off money from the company, or selling intellectual property. One example that Gallo provided was a mother who helped herself to $1.2 million on top of her $40,000 salary by gaming the company's invoicing system. Working in the accounts-payable department of the company, she noticed that payment details were being stored on a shared network drive. After editing the file to fill her own account, she would wait until repeat invoices would be issued, and then abuse her position to approve the payment, hiding it among the other several thousand payments that the company made to cover her tracks. Although the average amount stolen in Australia was $229,000 per incident, Gallo said that women tended to steal much more than men. Yet, in general, the thefts were more likely to have been perpetrated by a man. [...] ------------------------------ Date: Wed, 16 Nov 2011 17:24:01 +0000 From: Tony B Atkinson <tony.atkinson_at_private> Subject: Re: ANA plane goes nearly belly up ... wrong knob turned (Disdale, RISKS-26.61) Pete Disdale <risks_at_private>writes > I ... find this astonishing. I had always believed that flight deck controls (knobs, levers etc.) were required to be "different" - i.e. different colours, shapes - in order to avoid or minimise any confusion by the pilot." In fact, the two knobs are distinctly different in size and shape. You can see a photo at www.tinyurl.com/humanfactorsblog . The flightdeck illustrated has the two controls adjacent. I believe that on the ANA control pedestal the knobs are slightly further apart, but still pretty close. The pilot has to reach behind him to access the control, it's effectively out of his line of sight. Distinguishing the control is probably done by feel most of the time. Incident waiting to happen really. As has been pointed out, the cabin door lock may be a retrofit or post-original design. It would have been better to use a different 'affordance' for the door lock and also to make the rudder control something like a 'push and twist'. Ahh, the benefit of hindsight. Tony Atkinson, Process Safety Consultant (Human Factors) ------------------------------ Date: Tue, 15 Nov 2011 10:43:40 -0500 From: "Smith, Mike" <msmith_at_private> Subject: Re: The Coming Fascist Internet (Weinstein, RISKS-26.61) It seems to me there are some competing interests here. Just to focus on the intellectual property issue, I note two clauses in the Universal Declaration of Human Rights (http://www.un.org/en/documents/udhr/): Article 19: Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers. Article 27(2): Everyone has the right to the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author. Does Article 19 give one the right to receive and impart someone else's scientific, literary or artistic productions without regard to the author's moral and material interests? That seems to be what Lauren is advocating. I'm not so sure. And if governments and other entities that operate the communications media are not to provide the protection to which authors of bit-based products are entitled under 27(2), then who is? How about Article 29(2)?: In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society. Ah. There are legitimate reasons for passing laws to limit certain rights in order to protect other rights. We can debate the extent of those limitations, but not that some limitations are, in fact, necessary. Mike Smith, CISSP, Senior IT Security Engineer, AEPOS Technologies Corporation (613) 237-3022 www.aepos.com ------------------------------ Date: Mon, 14 Nov 2011 13:57:21 +0800 From: jidanni_at_private Subject: Does this icon mean YES or NO? [(Smørgrav, RISKS-26.61)] > replacing text buttons with non-obvious icons Every day, all over the Internet, like some kind of game. Fortunately being a computer wiz, I can look into the HTML source of such web pages to find what the names of the icons being used are, e.g., YES.gif, NO.gif. Wouldn't want to click on Mr. WRONG. ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.62 ************************Received on Fri Nov 18 2011 - 15:30:03 PST
This archive was generated by hypermail 2.2.0 : Fri Nov 18 2011 - 21:07:04 PST