RISKS-LIST: Risks-Forum Digest Saturday 26 November 2011 Volume 26 : Issue 64 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.64.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: CalPERS computer misfire sparks benefit cancellations (Randall Neff) Robot prison wardens - with guns? (Peter Houppermans) "Facebook bans at work linked to increased security breaches" (Nestor E. Arellano via Gene Wirchenko) "Hired posters degrading Web's information credibility" (John P. Mello Jr. via Gene Wirchenko) Thailand wants Facebook links blocked, warns that pressing "Like" can lead to prosecution (Lauren Weinstein) If You Can't Trust Caller ID ... (Matt Richtel) LaTeX as an example of software engineering best practices? (Mark Thorson, PGN) Re: Update: U.S. water plants reportedly hit by cyber attacks (Alexander Klimov) Ruined water pump apparently wasn't attacked by hackers after all (Lauren Weinstein) Apple iTunes flaw 'allowed government spying for 3 years' (Lauren Weinstein) More on Duqu/stuxnet link? (PGN) Missing the point of the Internet (Bob Frankston) REVIEW: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems (Richard Austin) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 26 Nov 2011 08:42:33 -0800 From: Randall Neff <randall.neff_at_private> Subject: CalPERS computer misfire sparks benefit cancellations Sacramento, Calif. A glitch with CalPERS' (California Pension System) new half-billion-dollar computer system has delayed death benefit checks to widowed spouses and incorrectly triggered letters notifying some members that their health insurance has been canceled. http://www.mcclatchydc.com/2011/11/23/131256/computer-glitch-in-californias.html#storylink=misearch ------------------------------ Date: Sat, 26 Nov 2011 17:13:05 +0100 From: Peter Houppermans <peter_at_private> Subject: Robot prison wardens - with guns? Robot wardens are about to join the ranks of South Korea's prison service. http://www.bbc.co.uk/news/technology-15893772 A jail in the eastern city of Pohang plans to run a month-long trial with three of the automatons in March. The machines will monitor inmates for abnormal behaviour. Researchers say they will help reduce the workload for other guards. South Korea aims to be a world leaders in robotics. Business leaders believe the field has the potential to become a major export industry. It actually gets even better: "The South Korean defence company DoDAAM is also developing robotic gun turrets for export which can be programmed to open fire automatically." Oh yeah, you want those turrets on that robot in a prison. New, untried OS, vendor under competitive pressure, gun with real bullets and a high likelihood of this thing having some form of remote management. What could possible go wrong? PS: good luck recruiting service engineers... ------------------------------ Date: Thu, 24 Nov 2011 10:23:49 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Facebook bans at work linked to increased security breaches" (Nestor E. Arellano) I have submitted news of a number of Facebook security breaches. Now, it appears that they (whoever that is) have you coming and going. The title says it: Facebook bans at work linked to increased security breaches Companies that ban employees from using social media are 30 per cent more likely to suffer computer security breaches than firms that are more lenient on the issue of workers tweeting and checking Facebook posts in the office, according to recent survey. Nestor E. Arellano, *IT Business*, 24 Nov 2011 http://www.itbusiness.ca/it/client/en/home/News.asp?id=65068 ------------------------------ Date: Fri, 25 Nov 2011 10:53:41 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Hired posters degrading Web's information credibility" (John P. Mello Jr.) http://www.itbusiness.ca/it/client/en/home/News.asp?id=65094 Hired posters degrading Web's information credibility A new study says paid posters are poisoning the Internet with their untrustworthy content. John P. Mello Jr., *IT Business*, 24 Nov 2011 ------------------------------ Date: Thu, 24 Nov 2011 12:35:16 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Thailand wants Facebook links blocked, warns that pressing "Like" can lead to prosecution (NNSquad) http://j.mp/vZ2fnM (TheNextWeb) The government of Thailand has contacted Facebook to request the removal of more than 10,000 of its pages that are deemed in breach of laws preventing the defamation of the country's royal family. - - - http://j.mp/v7FD57 (Bangkok Post) Local Facebook users risk violating the computer law unknowingly by pressing the "like" or "share" button included with posted comment on anti-monarchy messages on the most popular social networking site, Information and Communication Technology Minister Anudith Nakornthap said on Thursday. Anyone doing so could be arrested on charges of violating the Computer Crime Act and committing lese majeste because the law prohibits the dissemination of content deemed insulting to the monarchy, he said. Facebook users should not press the ``like'' button or post comments on lese majeste-related content. - - - How about this for a way to prod these Neanderthals into the 21st century? Cut them off the Net totally until these practices cease. Be sure to read the part about the 61-year-old man just handed a 20 year prison sentence for sending SMS messages "insulting" to the royal family. ------------------------------ Date: Wed, 23 Nov 2011 14:14:47 PST From: "Peter G. Neumann" <neumann_at_private> Subject: If You Can't Trust Caller ID ... (Matt Richtel) Telemarketers increasingly are disguising their real identities and phone numbers... Caller ID [properly, Calling Number ID] is becoming Fake ID. New FCC rules have been instituted to combat this practice, but are apparently very limited in their effectiveness... [Source: Matt Richtel, *The New York Times* front page, 23 Nov 2011; PGN-ed] ------------------------------ Date: Fri, 25 Nov 2011 10:48:44 -0800 From: Mark Thorson <eee_at_private> Subject: LaTeX as an example of software engineering best practices You might think that a program written by Donald Knuth and Leslie Lamport would be an ideal example of good programming, rather than the kind of encrusted monstrosity we expect from Microsoft. But perhaps it's the way of all things to end up like that, no matter who wrote it. http://vallettaventures.tumblr.com/post/13124883568/the-price-of-a-messy-codebase-no-latex-for-the-ipad ------------------------------ Date: Fri, 25 Nov 2011 19:32:56 PST From: Peter Neumann <risko_at_private> Subject: Re: LaTeX as an example of software engineering best practices Mark, TEX is complicated. Don Knuth once told me he never used it, and just handed raw text (on paper?) to his secretaries to be TEXed. LaTeX was created by Les Lamport initially primarily for his own use (reminds you a little of Unix?). He gave it away for free, but his son's college education was funded from the book sales. But LaTeX significantly simplified many of the more challenging corners of TEX, and yet it deals with huge numbers of fonts, IEEE and ACM styles for formatting and bibliographies and whatever, automated indexing, and miraculously it usually works once you have figured out how to use it, with copious additional advice existing on the Web. But it is nontrivial to get it working seamlessly. Complex system are intrinsically complex. That's not a surprise. One question is whether the human interface can be usable. Another question is whether it is sufficiently well software engineered and modularly encapsulated to be easily extendable by others. For those reasons, I am still addicted to LaTeX and emacs. But I don't think I would want to use them for creating large documents on an iPad. ------------------------------ Date: Thu, 24 Nov 2011 19:39:01 +0200 From: Alexander Klimov <ask_at_private> Subject: Re: Update: U.S. water plants reportedly hit by cyber attacks (Lemos, R 26 62) <http://www.pcmag.com/article2/0,2817,2396835,00.asp> The Department of Homeland Security and the FBI on Wednesday shot down reports that a cyber attack recently took down a pump at an Illinois public water utility. "After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois," a DHS spokesman said in a statement. [...] DHS, however, said the reports seen by Weiss "were based on raw, unconfirmed data and subsequently leaked to the media." After evaluating the situation, officials found "no evidence ... that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant." "In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported," DHS continued. "Analysis of the incident is ongoing and additional relevant information will be released as it becomes available." I guess most people excited by the original report will never see the rebuttal. ------------------------------ Date: Tue, 22 Nov 2011 18:21:57 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Ruined water pump apparently wasn't attacked by hackers after all (Re: Lemos, RISKS-26.62) http://j.mp/vLku0D (Wired) "A report from an Illinois intelligence fusion center that a water utility was hacked cannot be substantiated, according to an announcement released late Tuesday by the Department of Homeland Security. Additionally, the department disputes assertions in the fusion center report that an infrastructure-control software vendor was hacked prior to the water utility intrusion in order to obtain user names and passwords to break into the utility company and destroy a water pump." - - - Some of you may recall I was skeptical of this report early on. While there's still confusion, I will say again that the "Quick! Blame the evil hackers and foreign governments testing our defenses!" excuse for local screw-ups should always be considered as a strong contender in these situations. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org ------------------------------ Date: Fri, 25 Nov 2011 12:23:05 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Apple iTunes flaw 'allowed government spying for 3 years' "A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide. The hacking software, FinFisher, is used to spy on intelligence targets' computers. It is known to be used by British agencies and earlier this year records were discovered in abandoned offices of that showed it had been offered to Egypt's feared secret police." http://j.mp/tglKss (Telegraph) - - - I have no additional info about this report yet, one way or another. ------------------------------ Date: Wed, 23 Nov 2011 10:21:14 PST From: "Peter G. Neumann" <neumann_at_private> Subject: More on Duqu/stuxnet link? http://news.hostexploit.com/cybercrime-news/5022-duqu-from-the-same-publishing-house-as-stuxnet.html ------------------------------ Date: Fri, 25 Nov 2011 14:25:36 -0500 From: "Bob Frankston" <bob2-39_at_private> Subject: Missing the point of the Internet (Re: Shapir, RISKS-26.63) Today's Internet is a work in progress. Indeed the current implementation lends itself to tracking because the current implementation depends on a central authority for names and addresses (DNS and IP) and because bits are tracked in order to support the current telecommunications business model. The real risk is confusing these artifacts with the larger idea of the Internet which shows what can done without a central authority or, for now, despite these central authorities. As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not fundamental. This means that the Internet is not easier to control once there is a funding model that doesn't require controlling the path. To put it another way -- the reason that the Internet is easy to control is that we have stakeholders who embrace control and not because such control is necessary. -----Original Message----- From: Amos Shapir [mailto:amos083_at_private] Sent: Sunday, November 20, 2011 09:59 Subject: [risks 26.63] Re: The Coming Fascist Internet (Weinstein, RISKS-26.61) Comparing the Internet to other rather new technologies shows that prognosis is not good. Take driving as a case in point: about 20 years after the invention of the automobile, anyone could drive anything anywhere; now no one can drive anywhere unless both vehicle and driver are licensed and registered by some government. The Internet is even easier to control than roads, as all infrastructure is supplied by a few big companies, which usually comply with the government. China seems to be the future. ------------------------------ Date: Thu, 24 Nov 2011 00:23:22 -0700 From: "Cipher Editor" <cipher-editor_at_ieee-security.org> Subject: REVIEW: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems (Richard Austin) EXCERPTED FROM: Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 105 November 22, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org Book Review By Richard Austin November 18, 2011 Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems Eric D. Knapp Syngress 2011. ISBN 978-1-59749-645-2 Amazon.com, U.S. $32.90 Table of Contents: http://www.elsevierdirect.com/toc.jsp?isbn=9781597496452 Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or Joel Brenner's "America the Vulnerable", a convincing case has been made that we, as security professionals, should be concerned about the security measures (or lack thereof) being applied to the industrial control systems that manage power generation and distribution as well as many other critical infrastructure components. At the same time, many of us, like your humble correspondent, would be forced to admit that our knowledge in this area doesn't go much further than being able to spell out the acronym "SCADA". Knapp recognizes this lack and provides a quite readable introduction to industrial networks and how familiar security principles can be translated to apply in this complex area. The first third of the book provides an introduction to industrial networks, their protocols and how they operate. Peppered throughout the introduction are sidelights on security incidents and previews of how security measures may be applied. Acronyms multiply quickly and readers will likely want to maintain a cheat sheet to avoid having to flip back and forth to find their meanings (many, but not all, are in the glossary). The majority of the book is devoted to parsing out what "information security" really means in the context of industrial networks. Familiar topics such as "vulnerability and risk management" and "situational awareness" are placed in context and the unique considerations imposed by an industrial control network are identified. For example, many of us will have had the experience of crashing a piece of network equipment when scanning its management interface to assess its attack surface. What is an inconvenience in that context may have a much wider impact when the device is controlling a real-world process. As you might expect, compliance is a major concern and a very useful chapter reviews the relevant standards/regulations and provides recommendations for demonstrating compliance. Knapp also provides a "reverse mapping" that even identifies the relevant chapter of the book. The closing chapter's review of why-things-often-go-wrong includes many of the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and serves as a final reminder that though industrial networks present many unique features, they also have much in common with the more familiar areas of information security. Whether you are charged with defending an industrial network or curious about all the "buzz" over SCADA security, Knapp's book will provide a solid introduction to this fascinating area. Definitely a recommended read. [Before beginning life as a university instructor and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu .] ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.64 ************************Received on Sat Nov 26 2011 - 12:35:30 PST
This archive was generated by hypermail 2.2.0 : Sat Nov 26 2011 - 19:34:03 PST