[RISKS] Risks Digest 26.64

From: RISKS List Owner <risko_at_private>
Date: Sat, 26 Nov 2011 12:35:30 PST
RISKS-LIST: Risks-Forum Digest  Saturday 26 November 2011  Volume 26 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.64.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
CalPERS computer misfire sparks benefit cancellations (Randall Neff)
Robot prison wardens - with guns? (Peter Houppermans)
"Facebook bans at work linked to increased security breaches"
  (Nestor E. Arellano via Gene Wirchenko)
"Hired posters degrading Web's information credibility"
  (John P. Mello Jr. via Gene Wirchenko)
Thailand wants Facebook links blocked, warns that pressing "Like" can
  lead to prosecution (Lauren Weinstein)
If You Can't Trust Caller ID ... (Matt Richtel)
LaTeX as an example of software engineering best practices? (Mark Thorson,
  PGN)
Re: Update: U.S. water plants reportedly hit by cyber attacks
  (Alexander Klimov)
Ruined water pump apparently wasn't attacked by hackers after all
  (Lauren Weinstein)
Apple iTunes flaw 'allowed government spying for 3 years' (Lauren Weinstein)
More on Duqu/stuxnet link? (PGN)
Missing the point of the Internet (Bob Frankston)
REVIEW: Eric D. Knapp, Industrial Network Security: Securing
  Critical Infrastructure Networks for Smart Grid, SCADA, and Other
  Industrial Control Systems (Richard Austin)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 26 Nov 2011 08:42:33 -0800
From: Randall Neff <randall.neff_at_private>
Subject: CalPERS computer misfire sparks benefit cancellations

Sacramento, Calif.  A glitch with CalPERS' (California Pension System) new
half-billion-dollar computer system has delayed death benefit checks to
widowed spouses and incorrectly triggered letters notifying some members
that their health insurance has been canceled.
http://www.mcclatchydc.com/2011/11/23/131256/computer-glitch-in-californias.html#storylink=misearch

------------------------------

Date: Sat, 26 Nov 2011 17:13:05 +0100
From: Peter Houppermans <peter_at_private>
Subject: Robot prison wardens - with guns?

Robot wardens are about to join the ranks of South Korea's prison service.
http://www.bbc.co.uk/news/technology-15893772

  A jail in the eastern city of Pohang plans to run a month-long trial with
  three of the automatons in March.  The machines will monitor inmates for
  abnormal behaviour.  Researchers say they will help reduce the workload
  for other guards.  South Korea aims to be a world leaders in
  robotics. Business leaders believe the field has the potential to become a
  major export industry.

It actually gets even better:

  "The South Korean defence company DoDAAM is also developing robotic gun
  turrets for export which can be programmed to open fire automatically."

Oh yeah, you want those turrets on that robot in a prison.  New, untried OS,
vendor under competitive pressure, gun with real bullets and a high
likelihood of this thing having some form of remote management.  What could
possible go wrong?

PS: good luck recruiting service engineers...

------------------------------

Date: Thu, 24 Nov 2011 10:23:49 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Facebook bans at work linked to increased security breaches"
  (Nestor E. Arellano)

I have submitted news of a number of Facebook security breaches.  Now, it
appears that they (whoever that is) have you coming and going.  The title
says it:

  Facebook bans at work linked to increased security breaches

  Companies that ban employees from using social media are 30 per cent more
  likely to suffer computer security breaches than firms that are more
  lenient on the issue of workers tweeting and checking Facebook posts in
  the office, according to recent survey.
  Nestor E. Arellano, *IT Business*, 24 Nov 2011
  http://www.itbusiness.ca/it/client/en/home/News.asp?id=65068

------------------------------

Date: Fri, 25 Nov 2011 10:53:41 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Hired posters degrading Web's information credibility"
  (John P. Mello Jr.)

http://www.itbusiness.ca/it/client/en/home/News.asp?id=65094
Hired posters degrading Web's information credibility
A new study says paid posters are poisoning the Internet with their
untrustworthy content.

 John P. Mello Jr., *IT Business*, 24 Nov 2011

------------------------------

Date: Thu, 24 Nov 2011 12:35:16 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Thailand wants Facebook links blocked, warns that pressing "Like"
  can lead to prosecution (NNSquad)

http://j.mp/vZ2fnM  (TheNextWeb)

  The government of Thailand has contacted Facebook to request the
  removal of more than 10,000 of its pages that are deemed in breach of
  laws preventing the defamation of the country's royal family.

 - - -

http://j.mp/v7FD57  (Bangkok Post)

  Local Facebook users risk violating the computer law unknowingly by
  pressing the "like" or "share" button included with posted comment on
  anti-monarchy messages on the most popular social networking site,
  Information and Communication Technology Minister Anudith Nakornthap said
  on Thursday.  Anyone doing so could be arrested on charges of violating
  the Computer Crime Act and committing lese majeste because the law
  prohibits the dissemination of content deemed insulting to the monarchy,
  he said.  Facebook users should not press the ``like'' button or post
  comments on lese majeste-related content.

 - - -

How about this for a way to prod these Neanderthals into the 21st century?
Cut them off the Net totally until these practices cease.  Be sure to read
the part about the 61-year-old man just handed a 20 year prison sentence for
sending SMS messages "insulting" to the royal family.

------------------------------

Date: Wed, 23 Nov 2011 14:14:47 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: If You Can't Trust Caller ID ... (Matt Richtel)

Telemarketers increasingly are disguising their real identities and
phone numbers...  Caller ID [properly, Calling Number ID] is becoming
Fake ID.  New FCC rules have been instituted to combat this practice,
but are apparently very limited in their effectiveness...  [Source: Matt
Richtel, *The New York Times* front page, 23 Nov 2011; PGN-ed]

------------------------------

Date: Fri, 25 Nov 2011 10:48:44 -0800
From: Mark Thorson <eee_at_private>
Subject: LaTeX as an example of software engineering best practices

You might think that a program written by Donald Knuth and Leslie Lamport
would be an ideal example of good programming, rather than the kind of
encrusted monstrosity we expect from Microsoft.  But perhaps it's the way of
all things to end up like that, no matter who wrote it.

http://vallettaventures.tumblr.com/post/13124883568/the-price-of-a-messy-codebase-no-latex-for-the-ipad

------------------------------

Date: Fri, 25 Nov 2011 19:32:56 PST
From: Peter Neumann <risko_at_private>
Subject: Re: LaTeX as an example of software engineering best practices

Mark, TEX is complicated.  Don Knuth once told me he never used it, and just
handed raw text (on paper?) to his secretaries to be TEXed.

LaTeX was created by Les Lamport initially primarily for his own use
(reminds you a little of Unix?).  He gave it away for free, but his son's
college education was funded from the book sales.  But LaTeX significantly
simplified many of the more challenging corners of TEX, and yet it deals
with huge numbers of fonts, IEEE and ACM styles for formatting and
bibliographies and whatever, automated indexing, and miraculously it usually
works once you have figured out how to use it, with copious additional
advice existing on the Web.  But it is nontrivial to get it working
seamlessly.

Complex system are intrinsically complex.  That's not a surprise.  One
question is whether the human interface can be usable.  Another question is
whether it is sufficiently well software engineered and modularly
encapsulated to be easily extendable by others.  For those reasons, I am
still addicted to LaTeX and emacs.  But I don't think I would want to use
them for creating large documents on an iPad.

------------------------------

Date: Thu, 24 Nov 2011 19:39:01 +0200
From: Alexander Klimov <ask_at_private>
Subject: Re: Update: U.S. water plants reportedly hit by cyber attacks
  (Lemos, R 26 62)

<http://www.pcmag.com/article2/0,2817,2396835,00.asp>

  The Department of Homeland Security and the FBI on Wednesday shot
  down reports that a cyber attack recently took down a pump at an
  Illinois public water utility.

  "After detailed analysis, DHS and the FBI have found no evidence of
  a cyber intrusion into the SCADA system of the Curran-Gardner Public
  Water District in Springfield, Illinois," a DHS spokesman said in a
  statement.

  [...] DHS, however, said the reports seen by Weiss "were based on
  raw, unconfirmed data and subsequently leaked to the media." After
  evaluating the situation, officials found "no evidence ... that any
  credentials were stolen, or that the vendor was involved in any
  malicious activity that led to a pump failure at the water plant."

  "In addition, DHS and FBI have concluded that there was no malicious
  traffic from Russia or any foreign entities, as previously
  reported," DHS continued. "Analysis of the incident is ongoing and
  additional relevant information will be released as it becomes
  available."

I guess most people excited by the original report will never see the
rebuttal.

------------------------------

Date: Tue, 22 Nov 2011 18:21:57 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Ruined water pump apparently wasn't attacked by hackers after all
  (Re: Lemos, RISKS-26.62)

http://j.mp/vLku0D  (Wired)

  "A report from an Illinois intelligence fusion center that a water utility
  was hacked cannot be substantiated, according to an announcement released
  late Tuesday by the Department of Homeland Security.  Additionally, the
  department disputes assertions in the fusion center report that an
  infrastructure-control software vendor was hacked prior to the water
  utility intrusion in order to obtain user names and passwords to break
  into the utility company and destroy a water pump."

 - - -

Some of you may recall I was skeptical of this report early on.  While
there's still confusion, I will say again that the "Quick! Blame the evil
hackers and foreign governments testing our defenses!" excuse for local
screw-ups should always be considered as a strong contender in these
situations.

Lauren Weinstein (lauren@private): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org

------------------------------

Date: Fri, 25 Nov 2011 12:23:05 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Apple iTunes flaw 'allowed government spying for 3 years'

  "A British company called Gamma International marketed hacking software to
  governments that exploited the vulnerability via a bogus update to iTunes,
  Apple's media player, which is installed on more than 250 million machines
  worldwide.  The hacking software, FinFisher, is used to spy on
  intelligence targets' computers. It is known to be used by British
  agencies and earlier this year records were discovered in abandoned
  offices of that showed it had been offered to Egypt's feared secret
  police."  http://j.mp/tglKss  (Telegraph)

 - - -

I have no additional info about this report yet, one way or another.

------------------------------

Date: Wed, 23 Nov 2011 10:21:14 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: More on Duqu/stuxnet link?

http://news.hostexploit.com/cybercrime-news/5022-duqu-from-the-same-publishing-house-as-stuxnet.html

------------------------------

Date: Fri, 25 Nov 2011 14:25:36 -0500
From: "Bob Frankston" <bob2-39_at_private>
Subject: Missing the point of the Internet (Re: Shapir, RISKS-26.63)

Today's Internet is a work in progress. Indeed the current implementation
lends itself to tracking because the current implementation depends on a
central authority for names and addresses (DNS and IP) and because bits are
tracked in order to support the current telecommunications business model.

The real risk is confusing these artifacts with the larger idea of the
Internet which shows what can done without a central authority or, for now,
despite these central authorities.

As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not
fundamental. This means that the Internet is not easier to control once
there is a funding model that doesn't require controlling the path.

To put it another way -- the reason that the Internet is easy to control is
that we have stakeholders who embrace control and not because such control
is necessary.

  -----Original Message-----
  From: Amos Shapir [mailto:amos083_at_private]
  Sent: Sunday, November 20, 2011 09:59
  Subject: [risks 26.63] Re: The Coming Fascist Internet (Weinstein,
    RISKS-26.61)

Comparing the Internet to other rather new technologies shows that prognosis
is not good.  Take driving as a case in point: about 20 years after the
invention of the automobile, anyone could drive anything anywhere; now no
one can drive anywhere unless both vehicle and driver are licensed and
registered by some government.

The Internet is even easier to control than roads, as all infrastructure is
supplied by a few big companies, which usually comply with the government.
China seems to be the future.

------------------------------

Date: Thu, 24 Nov 2011 00:23:22 -0700
From: "Cipher Editor" <cipher-editor_at_ieee-security.org>
Subject: REVIEW: Eric D. Knapp, Industrial Network Security: Securing
  Critical Infrastructure Networks for Smart Grid, SCADA, and Other
  Industrial Control Systems (Richard Austin)

EXCERPTED FROM:
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 105                                       November 22, 2011
Hilarie Orman, Editor                           Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org    cipher-assoc-editor @ ieee-security.org

Richard Austin                                                     Yong Guan
Book Review Editor                                           Calendar Editor
cipher-bookrev @ ieee-security.org            cipher-cfp @ ieee-security.org

		    Book Review By Richard Austin
                          November 18, 2011

Industrial Network Security: Securing Critical Infrastructure Networks
for Smart Grid, SCADA, and Other Industrial Control Systems
Eric D. Knapp
Syngress 2011.
ISBN 978-1-59749-645-2 Amazon.com, U.S. $32.90

Table of Contents:
http://www.elsevierdirect.com/toc.jsp?isbn=9781597496452

Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or
Joel Brenner's "America the Vulnerable", a convincing case has been made
that we, as security professionals, should be concerned about the security
measures (or lack thereof) being applied to the industrial control systems
that manage power generation and distribution as well as many other critical
infrastructure components.  At the same time, many of us, like your humble
correspondent, would be forced to admit that our knowledge in this area
doesn't go much further than being able to spell out the acronym "SCADA".
Knapp recognizes this lack and provides a quite readable introduction to
industrial networks and how familiar security principles can be translated
to apply in this complex area.

The first third of the book provides an introduction to industrial networks,
their protocols and how they operate.  Peppered throughout the introduction
are sidelights on security incidents and previews of how security measures
may be applied.  Acronyms multiply quickly and readers will likely want to
maintain a cheat sheet to avoid having to flip back and forth to find their
meanings (many, but not all, are in the glossary).

The majority of the book is devoted to parsing out what "information
security" really means in the context of industrial networks.  Familiar
topics such as "vulnerability and risk management" and "situational
awareness" are placed in context and the unique considerations imposed by an
industrial control network are identified.  For example, many of us will
have had the experience of crashing a piece of network equipment when
scanning its management interface to assess its attack surface.  What is an
inconvenience in that context may have a much wider impact when the device
is controlling a real-world process.

As you might expect, compliance is a major concern and a very useful chapter
reviews the relevant standards/regulations and provides recommendations for
demonstrating compliance.  Knapp also provides a "reverse mapping" that even
identifies the relevant chapter of the book.

The closing chapter's review of why-things-often-go-wrong includes many of
the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and
serves as a final reminder that though industrial networks present many
unique features, they also have much in common with the more familiar areas
of information security.

Whether you are charged with defending an industrial network or curious
about all the "buzz" over SCADA security, Knapp's book will provide a solid
introduction to this fascinating area.  Definitely a recommended read.

  [Before beginning life as a university instructor and independent
  cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2)
  spent 30+ years in the IT industry in positions ranging from software
  developer to security architect.  He welcomes your thoughts and comments
  at raustin2 at spsu dot edu .]

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.64
************************
Received on Sat Nov 26 2011 - 12:35:30 PST

This archive was generated by hypermail 2.2.0 : Sat Nov 26 2011 - 19:34:03 PST