RISKS-LIST: Risks-Forum Digest Wednesday 30 May 2012 Volume 26 : Issue 86 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.86.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Patient Died at New York VA Hospital After Alarm Was Ignored o (Ornstein/Weber via Monty Solomon) Driverless cars (Martyn Thomas) Delta overcharges some fliers because of computer glitch (Monty Solomon) Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 (Tobin Maginnis) "Customers irked by Quickbooks Online outage" (Chris Kanaracus via Gene Wirchenko) Vint Cerf warns Web freedom is under attack (Lauren Weinstein) Utility network protection? No. (PGN) Bogus story: no Chinese backdoor in military chip (Errata Security via Lauren Weinstein) RSA [In]SecureID software token (Ben Moore) The Axis of Weevil? (PGN) Researchers Propose Way to Thwart Fraudulent Digital Certificates (Brian Prince) "iCloud user tracks down iPhone thief using photo stream" (Karen Haslam via Gene Wirchenko) Web billing biz ransacked, smashed offline by hacktivists (John Leyden via Monty Solomon) "New Trojan empties online customers' bank accounts" Gene Wirchenko) Thailand convicts Webmaster for posted site comments (Fuller/Drew via Lauren Weinstein) New York Legislation Would Ban Anonymous Online Speech (Lauren Weinstein) UK surveillance program could expose private lives (Lauren Weinstein) Internet Voting Still Faces Hurdles in U.S. (ACM Tech News) IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan via Monty Solomon) "Should you care that Siri is taking notes?" (Ted Samson via Gene Wirchenko) Re: Never Trust a Robot (Jane Hesketh) Dag-Erling Sm=C3=B8rgrav <des_at_private> Re: Illuminating dialog with a scammer (Alister William Macintyre) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 25 May 2012 22:32:36 -0400 From: Monty Solomon <monty_at_private> Subject: Patient Died at New York VA Hospital After Alarm Was Ignored (Ornstein/Weber) Patient Died at New York VA Hospital After Alarm Was Ignored Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012 Registered nurses at a Manhattan Veterans Affairs hospital failed to notice a patient had become disconnected from a cardiac monitor until after his heart had stopped and he could not be revived, according to a report Monday from the VA inspector general. The incident from last June was the second such death at the hospital involving a patient connected to a monitor in a six-month period. The first, along with two earlier deaths at a Denver VA hospital, raised questions about nursing competency in the VA system, ProPublica reported last month. The deaths also prompted a broader review of skills and training of VA nurses. Only half of 29 VA facilities surveyed by the inspector general in a recent report had adequately documented that their nurses had skills to perform their duties. Even though some nurses "did not demonstrate competency in one or more required skills," the government report stated, there was no evidence of retraining. ... http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored ------------------------------ Date: Tue, 29 May 2012 15:36:26 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Driverless cars http://www.bbc.co.uk/news/technology-18248841 A convoy of self-driven cars has completed a 200km (125-mile) journey on a Spanish motorway, in the first public test of such vehicles. ... The cars are fitted with special features such as cameras, radar and laser sensors - allowing the vehicle to monitor the lead vehicle and also other vehicles in their immediate vicinity. Using wireless communication, the vehicles in the platoon "mimic" the lead vehicle using autonomous control - accelerating, braking and turning in exactly the same way as the leader. The vehicles drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft). People think that autonomous driving is science fiction, but the fact is that the technology is already here. From the purely conceptual viewpoint, it works fine and road train will be around in one form or another in the future," says Ms Wahlstroem. "We've focused really hard on changing as little as possible in existing systems. Everything should function without any infrastructure changes to the roads or expensive additional components in the cars. Apart from the software developed as part of the project, it is really only the wireless network installed between the cars that set them apart from other cars available in showrooms today." The project aims to herald a new age of relaxed driving. According to Volvo, drivers "can now work on their laptops, read a book or sit back and enjoy a relaxed lunch" while driving. What could possibly go wrong ...? [See Peter Houppermans's item in RISKS-26.83. PGN] ------------------------------ Date: Sat, 19 May 2012 01:23:39 -0400 From: Monty Solomon <monty_at_private> Subject: Delta overcharges some fliers because of computer glitch (Nancy Trejos) Nancy Trejos, *USA Today*, 15 May 2012 Delta Air Lines says a computer glitch caused inconsistencies in airfares between fliers who were logged into the airline's website and those who were not. Delta spokesman Paul Skrbec told *Today in the Sky* that fares were higher for some passengers and lower for others. The carrier has not yet determined how many customers were affected, he said. Minneapolis' WCCO first reported on the discrepancies after business executives Patrick Smith and Steve Lisle, who happened to be booking flights side-by-side from Minneapolis to St. Louis a few weeks ago, were given two different prices for an economy seat. Lisle was not logged into his SkyMiles account and was offered a ticket for $300 less. ... http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1 2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies May 15, 2012 http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/ ------------------------------ Date: May 30, 2012 9:07 AM From: "Tobin Maginnis" <ptm_at_private> Subject: Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 [From David Farber's IP distribution. PGN] Your readers may like to see this Japanese documentary report on Fukushima Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom to view English translation) that lays out how if supports fail in one building it can precipitate a world-wide radio-active contamination event. At 23:00: Shin-ichi Sano, Author: The world had not choice but to pay attention. Q: People have said that we must gather expertises from around the world in order to solve the current problem. Regarding Fukushima, this has to happen, don't you think? A: Indeed. As you say, there is no time for silly arguments. If anything happens, this is not just about the end of Japan, probably start of the end of the world. I would like them to realize that we are in such crisis situation. A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 http://www.youtube.com/watch?v=zuxFQewzPjk# Published on May 29, 2012 by Goldieluvmj IP Archives: https://www.listbox.com/member/archive/247/=now ------------------------------ Date: Mon, 28 May 2012 10:30:52 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Customers irked by Quickbooks Online outage" Chris Kanaracus, *IT Business*, 25 May 2012 Intuit says it has restored all customers, but angry sentiments linger. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640 Intuit's Quickbook on-demand accounting system was switched over to its backup center to maintain continuity of service with continued data replication, while upgrading the primary system to fix a detected performance problem. However, during this process, an unspecified error introduced a `synchronization gap', requiring both the primary and backup systems to be taken off-line. 5700 customers were reportedly affected, with varying degrees of delay and difficulty. [PGN-ed] ------------------------------ Date: Mon, 21 May 2012 09:54:11 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Vint Cerf warns Web freedom is under attack "Father of the Internet" Vint Cerf on Monday warned that Internet freedom is under threat from governments around the world, including the United States. Cerf, a computer scientist who was instrumental in the Internet's creation, now employed by Google as its "Internet evangelist," said officials in the United States, United Kingdom and Europe are using intellectual property and cybersecurity issues "as an excuse for constraining what we can and can't do on the 'net." http://j.mp/KFXskP (The Hill) ------------------------------ Date: Thu, 24 May 2012 6:14:08 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Utility network protection? No. [Thanks to Gene Spafford. PGN] http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks One argument in favor of regulation because companies won't do it themselves. ------------------------------ Date: May 28, 2012 9:24:44 PM PDT From: Lauren Weinstein <lauren_at_private> Subject: Bogus story: no Chinese backdoor in military chip http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html> (Errata Security) "Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious." [I agree with this article's analysis. The original story was cyber-scaremongering. LW] [See a lengthy blog item, Bogus story: no Chinese backdoor in military chip. PGN] http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html ------------------------------ Date: Thu, 24 May 2012 16:02:56 GMT From: "Ben Moore" <ben.moore_at_private> Subject: RSA [In]SecureID software token The folks at RSA are at it again. SensePost's blog discussed how to derive the device serial number of RSA's Windows SecureID software token. "...the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the [RSA SecureID] protection." http://www.sensepost.com/blog/7045.html ------------------------------ Date: Thu, 24 May 2012 12:04:06 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: The Axis of Weevil? Yahoo! today released its Axis extension for Chrome -- and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/ [Thanks to Phil Porras. PGN] There are signs that the Axis release was just a *bit* rushed. Users have found chunks of the development environment in the released code, and Yahoo appears to have accidentally included their *private* crypto signing key as well: http://j.mp/Jpgmw2 (Google+) And their Terms of Service link at the moment leads to a placeholder: http://j.mp/JpfKX8 (Google+) [Thanks to Lauren Weinstein. PGN] ------------------------------ Date: Wed, 30 May 2012 11:24:58 -0400 From: ACM TechNews <technews_at_private> Subject: Researchers Propose Way to Thwart Fraudulent Digital Certificates Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012] Security researchers Moxie Marlinspike and Trevor Perrin say an extension to the transport layer security (TLS) protocol could help address spoofing attacks on the Secure Sockets Layer certificate ecosystem. They have proposed an approach called Trust Assertions for Certificate Keys (TACK), which enables a Web site to sign its TLS server's public keys with a TACK key. Clients can pin a hostname to the TACK key without requiring sites to make changes to their existing certificate chains or limiting their ability to deploy different certificate chains on different servers or change certificate chains at any time. Marlinspike and Perrin note that inside the TACK is a public key and signature. "Once a client has seen the same [hostname, TACK public key] pair multiple times, the client will 'activate' a pin between the hostname and TACK key for a period equal to the length of time the pair has been observed for," the researchers say. "This 'pin activation' process limits the impact of bad pins resulting from transient network attacks or operator error." The browser will reject the session and alert the user when it comes across a fraudulent certificate on a pinned site. http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/ ------------------------------ Date: Fri, 25 May 2012 09:48:29 -0700 From: Gene Wirchenko <genew_at_private> Subject: "iCloud user tracks down iPhone thief using photo stream" (Karen Haslam) http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617 Karen Haslam, *IT Business*, 24 May 2012 Stolen iPhone beams back photos, displayed in Facebook album ------------------------------ Date: Wed, 23 May 2012 19:38:40 -0400 From: Monty Solomon <monty_at_private> Subject: Web billing biz ransacked, smashed offline by hacktivists (John Leyden) WHMCS calls the Feds after credit-card megaleak John Leyden, 22 May 2012 WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline. Hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company's database before deleting files, essentially trashing the server and leaving services unavailable in the process. The compromised server hosted WHCMS's main website and supported customers' installations of its technology. UGNazi also gained access to WHMCS's Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm's customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack. ... http://www.theregister.co.uk/2012/05/22/whmcs_breach/ Hacker group UGNazi leaks and deletes billing service's database The group used social engineering to access WHMCS's customer database, then leaked 500,000 records online May 22, 2012 http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867 Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users' Passwords And Credit Cards May 22, 2012 http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/ ------------------------------ Date: Wed, 23 May 2012 09:51:44 -0700 From: Gene Wirchenko <genew_at_private> Subject: "New Trojan empties online customers' bank accounts" Antone Gonsalves, The Tatanga Trojan was first spotted by German banks, cybersecurity firm Trusteer says. *IT Business*, 22 May 2012 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572 ------------------------------ Date: Wed, 30 May 2012 08:29:55 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Thailand convicts Webmaster for posted site comments Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012 "Google and human rights groups reacted strongly on Wednesday to a Thai court's decision to convict the webmaster of an Internet message board for comments posted by users that insulted the Thai royal family." http://j.mp/KwEzjC Unfortunately, an entirely predictable development. Ultimately, governments want to control Internet content. They vary in their approaches and degrees, but free expression of the sort the Internet enables, fundamentally undermines traditional information control regimes. [Unblessed be the Thai that blinds. PGN] ------------------------------ Date: Tue, 22 May 2012 13:27:13 -0700 From: Lauren Weinstein <lauren_at_private> Subject: New York Legislation Would Ban Anonymous Online Speech Did you hear the one about New York state lawmakers who forgot about the First Amendment in the name of combating cyberbullying and "baseless political attacks"? Proposed legislation in both chambers would require New York-based websites, such as blogs and newspapers, to "remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post." ... David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX Probability that the legislators involved are opportunists and/or clueless? = 100% Probability that such legislation could pass Constitutional muster? = 0% Infuriating that they even waste time on this nonsense. ------------------------------ Date: Fri, 18 May 2012 10:38:37 -0700 From: Lauren Weinstein <lauren_at_private> Subject: UK surveillance program could expose private lives (NNSquad) "British officials have given their word: "We won't read your emails." But experts say the government's proposed new surveillance program will gather so much data that spooks won't have to read your messages to guess what you're up to." http://j.mp/LeF0dS (AP / Quad City Times) The seriously disingenuous aspect of Kane's comments is his equating government collection of mass header and traffic analysis data on an involuntary basis -- with voluntary usage of Web-based services. Trying to equate the two in the privacy realm is fundamentally dishonest. ------------------------------ Date: Fri, 25 May 2012 11:18:19 -0400 From: ACM TechNews <technews_at_private> Subject: Internet Voting Still Faces Hurdles in U.S. More than two dozen states will accept some form of electronic or faxed ballots in the U.S. 2012 elections, according to the Verified Voting Foundation. However, computer security experts contend that any system can be hacked or manipulated, which poses a big threat to online voting systems. "You have computer systems such as those of Google, the Pentagon, and Facebook, which have all fallen victim to intrusion," notes University of Michigan computer scientist J. Alex Halderman. Meanwhile, other countries are moving forward with Internet voting plans. For example, French citizens living abroad this year will be able to vote on the Internet in a parliamentary election. In Estonia, a record 25 percent of voters cast Internet ballots in 2011. In the United States, election officials are examining the costs of the technology while struggling with how to make voting more accessible, says Ohio deputy election administrator Matt Masterson. He notes online voting can help boost participation and address the issue of voters who cannot get to a polling station. The U.S. National Institute of Standards and Technology recently concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling stations. [Agence France-Presse, 24 May 2012] http://www.turkishpress.com/news.asp?id=382334 ------------------------------ Date: Tue, 22 May 2012 21:18:40 -0400 From: Monty Solomon <monty_at_private> Subject: IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan) Robert McMillan, 22 May 2012 If you work for IBM, you can bring your iPhone to work, but forget about using the phone's voice-activated digital assistant. Siri isn't welcome on Big Blue's networks. The reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box. IBM CIO Jeanette Horan told MIT's Technology Review this week that her company has banned Siri outright because, according to the magazine, "The company worries that the spoken queries might be stored somewhere." It turns out that Horan is right to worry. In fact, Apple's iPhone Software License Agreement spells this out: "When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text," Apple says. Siri collects a bunch of other information - names of people from your address book and other unspecified user data, all to help Siri do a better job. How long does Apple store all of this stuff, and who gets a look at it? Well, the company doesn't actually say. Again, from the user agreement: "By using Siri or Dictation, you agree and consent to Apple's and its subsidiaries' and agents' transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and other Apple products and services." Because some of the data that Siri collects can be very personal, the American Civil Liberties Union put out a warning about Siri just a couple of months ago. ... http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/ Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am) https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml ------------------------------ Date: Fri, 25 May 2012 09:24:25 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Should you care that Siri is taking notes?" (Ted Samson) Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012 Should you care that Siri is taking notes? IBM blocks Siri on networked devices even as it acknowledges it sees no threat in Apple capturing voice commands from users http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136 opening paragraph: If you ask Siri, the iPhone's voice-controlled personal assistant, to schedule a sales meeting with a potential new client at a restaurant across town, Siri will dutifully carry out your command (barring any service hiccups) -- and send that information to server farm in North Carolina to be converted into text and saved. That revelation has bubbled up in the tech world after IBM CIO Jeanette Horan recently told MIT's Technology Review that Big Blue blocks Siri on employees' iOS devices because Apple stores potentially sensitive voice-inputted data. ------------------------------ Date: Sat, 19 May 2012 12:10:31 +0100 From: Jane Hesketh <> Subject: Re: Never Trust a Robot (RISKS-26.83) As a cruising sailor of some years experience, I'd like to point out that there is a simpler explanation for the sad accident than the one where experienced sailors fail to use electronic charts sensibly. The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6 knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash speeds. People sailing or motoring at this speed try to take the quickest course. If there is an obstruction, common practice is to set a GPS waypoint close to it (good) or even on it (bad) with an alarm, so that on reaching it you are prompted to change course to go round. These alarms aren't loud, they're only intended to alert someone in the cockpit, not wake the whole boat. If there is only one person on watch, and they fail to respond and change course, depending on the boat's electronic systems it is entirely possible that it will just keep going on the current course. If the crew member on watch has fallen overboard, maybe trying to fix a problem or (if male) is relieving himself over the side and loses his balance - a depressingly common occurrence - that is what will happen. Reports say the middle-aged male skipper was found separate from the others. Unless the rest of the crew are alerted quickly, the casualty is left behind and the boat sails on potentially unsupervised. In this scenario there are still RISKS of course. Firstly making it easy to have a single point of failure. Technology helps people sail more short-handed than was once the case. The racing yachts would more likely have a number of people active on board, who would notice if someone fell off and hear an alert even one crew member down. Secondly technology's inability to operate beyond the world it is designed for, to recognise when it is outside its competence. ------------------------------ Date: Tue, 29 May 2012 12:31:33 +0200 From: Dag-Erling Sm=C3=B8rgrav <des_at_private> Subject: Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83) > http://www.youtube.com/watch?v=IFe9wiDfb0E That link doesn't seem to work any more. [It does. I failed to delete two extra `3D' strings that your mail system coerces. Now fixed. PGN] Here's the original: http://www.tomscott.com/life/ I should have probably have provided a summary: the video is an artist's impression of what you'd see if your consciousness was uploaded to silicon upon your death. It includes a sequence where the system edits the subject's memories to remove all occurrences of copyrighted works because the subject's estate can't afford the $19,000 monthly licensing fee. ------------------------------ Date: Mon, 28 May 2012 15:09:58 -0500 From: "Al Mac Wow = Alister William Macintyre" <macwheel99_at_private> Subject: Re: Illuminating dialog with a scammer There are several variations on this phone call phishing, which I think is a great risk to unsophisticated PC users. I have had several calls where I suspect this criminal underworld now has a data base of info they elicited from me in prior scam calls, to try to refine their technique. They now know I have two PCs in my house, and can tell me which one they are calling about. Internet Storm Center (ISC of SANS) is now tracking those Phishing phone calls, in Indian accent, which say they are from Microsoft Support, or some such variation. If you get one, you can now add your experiences to their statistics. https://isc.sans.edu/reportfakecall.html ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.86 ************************ precedence: bulk Subject: Risks Digest 26.86 RISKS-LIST: Risks-Forum Digest Wednesday 30 May 2012 Volume 26 : Issue 86 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.86.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Patient Died at New York VA Hospital After Alarm Was Ignored (Ornstein/Weber via Monty Solomon) Driverless cars (Martyn Thomas) Delta overcharges some fliers because of computer glitch (Monty Solomon) Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 (Tobin Maginnis) "Customers irked by Quickbooks Online outage" (Chris Kanaracus via Gene Wirchenko) Vint Cerf warns Web freedom is under attack (Lauren Weinstein) Utility network protection? No. (PGN) Bogus story: no Chinese backdoor in military chip (Errata Security via Lauren Weinstein) RSA [In]SecureID software token (Ben Moore) The Axis of Weevil? (PGN) Researchers Propose Way to Thwart Fraudulent Digital Certificates (Brian Prince) "iCloud user tracks down iPhone thief using photo stream" (Karen Haslam via Gene Wirchenko) Web billing biz ransacked, smashed offline by hacktivists (John Leyden via Monty Solomon) "New Trojan empties online customers' bank accounts" Gene Wirchenko) Thailand convicts Webmaster for posted site comments (Fuller/Drew via Lauren Weinstein) New York Legislation Would Ban Anonymous Online Speech (Lauren Weinstein) UK surveillance program could expose private lives (Lauren Weinstein) Internet Voting Still Faces Hurdles in U.S. (ACM Tech News) IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan via Monty Solomon) "Should you care that Siri is taking notes?" (Ted Samson via Gene Wirchenko) Re: Never Trust a Robot (Jane Hesketh) Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (Dag-Erling Sm?rgrav) Re: Illuminating dialog with a scammer (Alister William Macintyre) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 25 May 2012 22:32:36 -0400 From: Monty Solomon <monty_at_private> Subject: Patient Died at New York VA Hospital After Alarm Was Ignored (Ornstein/Weber) Patient Died at New York VA Hospital After Alarm Was Ignored Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012 Registered nurses at a Manhattan Veterans Affairs hospital failed to notice a patient had become disconnected from a cardiac monitor until after his heart had stopped and he could not be revived, according to a report Monday from the VA inspector general. The incident from last June was the second such death at the hospital involving a patient connected to a monitor in a six-month period. The first, along with two earlier deaths at a Denver VA hospital, raised questions about nursing competency in the VA system, ProPublica reported last month. The deaths also prompted a broader review of skills and training of VA nurses. Only half of 29 VA facilities surveyed by the inspector general in a recent report had adequately documented that their nurses had skills to perform their duties. Even though some nurses "did not demonstrate competency in one or more required skills," the government report stated, there was no evidence of retraining. ... http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored ------------------------------ Date: Tue, 29 May 2012 15:36:26 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Driverless cars http://www.bbc.co.uk/news/technology-18248841 A convoy of self-driven cars has completed a 200km (125-mile) journey on a Spanish motorway, in the first public test of such vehicles. ... The cars are fitted with special features such as cameras, radar and laser sensors - allowing the vehicle to monitor the lead vehicle and also other vehicles in their immediate vicinity. Using wireless communication, the vehicles in the platoon "mimic" the lead vehicle using autonomous control - accelerating, braking and turning in exactly the same way as the leader. The vehicles drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft). People think that autonomous driving is science fiction, but the fact is that the technology is already here. From the purely conceptual viewpoint, it works fine and road train will be around in one form or another in the future," says Ms Wahlstroem. "We've focused really hard on changing as little as possible in existing systems. Everything should function without any infrastructure changes to the roads or expensive additional components in the cars. Apart from the software developed as part of the project, it is really only the wireless network installed between the cars that set them apart from other cars available in showrooms today." The project aims to herald a new age of relaxed driving. According to Volvo, drivers "can now work on their laptops, read a book or sit back and enjoy a relaxed lunch" while driving. What could possibly go wrong ...? [See Peter Houppermans's item in RISKS-26.83. PGN] ------------------------------ Date: Sat, 19 May 2012 01:23:39 -0400 From: Monty Solomon <monty_at_private> Subject: Delta overcharges some fliers because of computer glitch (Nancy Trejos) Nancy Trejos, *USA Today*, 15 May 2012 Delta Air Lines says a computer glitch caused inconsistencies in airfares between fliers who were logged into the airline's website and those who were not. Delta spokesman Paul Skrbec told *Today in the Sky* that fares were higher for some passengers and lower for others. The carrier has not yet determined how many customers were affected, he said. Minneapolis' WCCO first reported on the discrepancies after business executives Patrick Smith and Steve Lisle, who happened to be booking flights side-by-side from Minneapolis to St. Louis a few weeks ago, were given two different prices for an economy seat. Lisle was not logged into his SkyMiles account and was offered a ticket for $300 less. ... http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1 2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies May 15, 2012 http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/ ------------------------------ Date: May 30, 2012 9:07 AM From: "Tobin Maginnis" <ptm_at_private> Subject: Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 [From David Farber's IP distribution. PGN] Your readers may like to see this Japanese documentary report on Fukushima Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom to view English translation) that lays out how if supports fail in one building it can precipitate a world-wide radio-active contamination event. At 23:00: Shin-ichi Sano, Author: The world had not choice but to pay attention. Q: People have said that we must gather expertises from around the world in order to solve the current problem. Regarding Fukushima, this has to happen, don't you think? A: Indeed. As you say, there is no time for silly arguments. If anything happens, this is not just about the end of Japan, probably start of the end of the world. I would like them to realize that we are in such crisis situation. A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 http://www.youtube.com/watch?v=zuxFQewzPjk# Published on May 29, 2012 by Goldieluvmj IP Archives: https://www.listbox.com/member/archive/247/=now ------------------------------ Date: Mon, 28 May 2012 10:30:52 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Customers irked by Quickbooks Online outage" Chris Kanaracus, *IT Business*, 25 May 2012 Intuit says it has restored all customers, but angry sentiments linger. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640 Intuit's Quickbook on-demand accounting system was switched over to its backup center to maintain continuity of service with continued data replication, while upgrading the primary system to fix a detected performance problem. However, during this process, an unspecified error introduced a `synchronization gap', requiring both the primary and backup systems to be taken off-line. 5700 customers were reportedly affected, with varying degrees of delay and difficulty. [PGN-ed] ------------------------------ Date: Mon, 21 May 2012 09:54:11 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Vint Cerf warns Web freedom is under attack "Father of the Internet" Vint Cerf on Monday warned that Internet freedom is under threat from governments around the world, including the United States. Cerf, a computer scientist who was instrumental in the Internet's creation, now employed by Google as its "Internet evangelist," said officials in the United States, United Kingdom and Europe are using intellectual property and cybersecurity issues "as an excuse for constraining what we can and can't do on the 'net." http://j.mp/KFXskP (The Hill) ------------------------------ Date: Thu, 24 May 2012 6:14:08 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Utility network protection? No. [Thanks to Gene Spafford. PGN] http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks One argument in favor of regulation because companies won't do it themselves. ------------------------------ Date: May 28, 2012 9:24:44 PM PDT From: Lauren Weinstein <lauren_at_private> Subject: Bogus story: no Chinese backdoor in military chip http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html> (Errata Security) "Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious." [I agree with this article's analysis. The original story was cyber-scaremongering. LW] [See a lengthy blog item, Bogus story: no Chinese backdoor in military chip. PGN] http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html ------------------------------ Date: Thu, 24 May 2012 16:02:56 GMT From: "Ben Moore" <ben.moore_at_private> Subject: RSA [In]SecureID software token The folks at RSA are at it again. SensePost's blog discussed how to derive the device serial number of RSA's Windows SecureID software token. "...the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the [RSA SecureID] protection." http://www.sensepost.com/blog/7045.html ------------------------------ Date: Thu, 24 May 2012 12:04:06 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: The Axis of Weevil? Yahoo! today released its Axis extension for Chrome -- and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/ [Thanks to Phil Porras. PGN] There are signs that the Axis release was just a *bit* rushed. Users have found chunks of the development environment in the released code, and Yahoo appears to have accidentally included their *private* crypto signing key as well: http://j.mp/Jpgmw2 (Google+) And their Terms of Service link at the moment leads to a placeholder: http://j.mp/JpfKX8 (Google+) [Thanks to Lauren Weinstein. PGN] ------------------------------ Date: Wed, 30 May 2012 11:24:58 -0400 From: ACM TechNews <technews_at_private> Subject: Researchers Propose Way to Thwart Fraudulent Digital Certificates Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012] Security researchers Moxie Marlinspike and Trevor Perrin say an extension to the transport layer security (TLS) protocol could help address spoofing attacks on the Secure Sockets Layer certificate ecosystem. They have proposed an approach called Trust Assertions for Certificate Keys (TACK), which enables a Web site to sign its TLS server's public keys with a TACK key. Clients can pin a hostname to the TACK key without requiring sites to make changes to their existing certificate chains or limiting their ability to deploy different certificate chains on different servers or change certificate chains at any time. Marlinspike and Perrin note that inside the TACK is a public key and signature. "Once a client has seen the same [hostname, TACK public key] pair multiple times, the client will 'activate' a pin between the hostname and TACK key for a period equal to the length of time the pair has been observed for," the researchers say. "This 'pin activation' process limits the impact of bad pins resulting from transient network attacks or operator error." The browser will reject the session and alert the user when it comes across a fraudulent certificate on a pinned site. http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/ ------------------------------ Date: Fri, 25 May 2012 09:48:29 -0700 From: Gene Wirchenko <genew_at_private> Subject: "iCloud user tracks down iPhone thief using photo stream" (Karen Haslam) http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617 Karen Haslam, *IT Business*, 24 May 2012 Stolen iPhone beams back photos, displayed in Facebook album ------------------------------ Date: Wed, 23 May 2012 19:38:40 -0400 From: Monty Solomon <monty_at_private> Subject: Web billing biz ransacked, smashed offline by hacktivists (John Leyden) WHMCS calls the Feds after credit-card megaleak John Leyden, 22 May 2012 WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline. Hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company's database before deleting files, essentially trashing the server and leaving services unavailable in the process. The compromised server hosted WHCMS's main website and supported customers' installations of its technology. UGNazi also gained access to WHMCS's Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm's customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack. ... http://www.theregister.co.uk/2012/05/22/whmcs_breach/ Hacker group UGNazi leaks and deletes billing service's database The group used social engineering to access WHMCS's customer database, then leaked 500,000 records online May 22, 2012 http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867 Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users' Passwords And Credit Cards May 22, 2012 http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/ ------------------------------ Date: Wed, 23 May 2012 09:51:44 -0700 From: Gene Wirchenko <genew_at_private> Subject: "New Trojan empties online customers' bank accounts" Antone Gonsalves, The Tatanga Trojan was first spotted by German banks, cybersecurity firm Trusteer says. *IT Business*, 22 May 2012 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572 ------------------------------ Date: Wed, 30 May 2012 08:29:55 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Thailand convicts Webmaster for posted site comments Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012 "Google and human rights groups reacted strongly on Wednesday to a Thai court's decision to convict the webmaster of an Internet message board for comments posted by users that insulted the Thai royal family." http://j.mp/KwEzjC Unfortunately, an entirely predictable development. Ultimately, governments want to control Internet content. They vary in their approaches and degrees, but free expression of the sort the Internet enables, fundamentally undermines traditional information control regimes. [Unblessed be the Thai that blinds. PGN] ------------------------------ Date: Tue, 22 May 2012 13:27:13 -0700 From: Lauren Weinstein <lauren_at_private> Subject: New York Legislation Would Ban Anonymous Online Speech Did you hear the one about New York state lawmakers who forgot about the First Amendment in the name of combating cyberbullying and "baseless political attacks"? Proposed legislation in both chambers would require New York-based websites, such as blogs and newspapers, to "remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post." ... David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX Probability that the legislators involved are opportunists and/or clueless? = 100% Probability that such legislation could pass Constitutional muster? = 0% Infuriating that they even waste time on this nonsense. ------------------------------ Date: Fri, 18 May 2012 10:38:37 -0700 From: Lauren Weinstein <lauren_at_private> Subject: UK surveillance program could expose private lives (NNSquad) "British officials have given their word: "We won't read your emails." But experts say the government's proposed new surveillance program will gather so much data that spooks won't have to read your messages to guess what you're up to." http://j.mp/LeF0dS (AP / Quad City Times) The seriously disingenuous aspect of Kane's comments is his equating government collection of mass header and traffic analysis data on an involuntary basis -- with voluntary usage of Web-based services. Trying to equate the two in the privacy realm is fundamentally dishonest. ------------------------------ Date: Fri, 25 May 2012 11:18:19 -0400 From: ACM TechNews <technews_at_private> Subject: Internet Voting Still Faces Hurdles in U.S. More than two dozen states will accept some form of electronic or faxed ballots in the U.S. 2012 elections, according to the Verified Voting Foundation. However, computer security experts contend that any system can be hacked or manipulated, which poses a big threat to online voting systems. "You have computer systems such as those of Google, the Pentagon, and Facebook, which have all fallen victim to intrusion," notes University of Michigan computer scientist J. Alex Halderman. Meanwhile, other countries are moving forward with Internet voting plans. For example, French citizens living abroad this year will be able to vote on the Internet in a parliamentary election. In Estonia, a record 25 percent of voters cast Internet ballots in 2011. In the United States, election officials are examining the costs of the technology while struggling with how to make voting more accessible, says Ohio deputy election administrator Matt Masterson. He notes online voting can help boost participation and address the issue of voters who cannot get to a polling station. The U.S. National Institute of Standards and Technology recently concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling stations. [Agence France-Presse, 24 May 2012] http://www.turkishpress.com/news.asp?id=382334 ------------------------------ Date: Tue, 22 May 2012 21:18:40 -0400 From: Monty Solomon <monty_at_private> Subject: IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan) Robert McMillan, 22 May 2012 If you work for IBM, you can bring your iPhone to work, but forget about using the phone's voice-activated digital assistant. Siri isn't welcome on Big Blue's networks. The reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box. IBM CIO Jeanette Horan told MIT's Technology Review this week that her company has banned Siri outright because, according to the magazine, "The company worries that the spoken queries might be stored somewhere." It turns out that Horan is right to worry. In fact, Apple's iPhone Software License Agreement spells this out: "When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text," Apple says. Siri collects a bunch of other information - names of people from your address book and other unspecified user data, all to help Siri do a better job. How long does Apple store all of this stuff, and who gets a look at it? Well, the company doesn't actually say. Again, from the user agreement: "By using Siri or Dictation, you agree and consent to Apple's and its subsidiaries' and agents' transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and other Apple products and services." Because some of the data that Siri collects can be very personal, the American Civil Liberties Union put out a warning about Siri just a couple of months ago. ... http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/ Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am) https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml ------------------------------ Date: Fri, 25 May 2012 09:24:25 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Should you care that Siri is taking notes?" (Ted Samson) Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012 Should you care that Siri is taking notes? IBM blocks Siri on networked devices even as it acknowledges it sees no threat in Apple capturing voice commands from users http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136 opening paragraph: If you ask Siri, the iPhone's voice-controlled personal assistant, to schedule a sales meeting with a potential new client at a restaurant across town, Siri will dutifully carry out your command (barring any service hiccups) -- and send that information to server farm in North Carolina to be converted into text and saved. That revelation has bubbled up in the tech world after IBM CIO Jeanette Horan recently told MIT's Technology Review that Big Blue blocks Siri on employees' iOS devices because Apple stores potentially sensitive voice-inputted data. ------------------------------ Date: Sat, 19 May 2012 12:10:31 +0100 From: Jane Hesketh <> Subject: Re: Never Trust a Robot (RISKS-26.83) As a cruising sailor of some years experience, I'd like to point out that there is a simpler explanation for the sad accident than the one where experienced sailors fail to use electronic charts sensibly. The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6 knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash speeds. People sailing or motoring at this speed try to take the quickest course. If there is an obstruction, common practice is to set a GPS waypoint close to it (good) or even on it (bad) with an alarm, so that on reaching it you are prompted to change course to go round. These alarms aren't loud, they're only intended to alert someone in the cockpit, not wake the whole boat. If there is only one person on watch, and they fail to respond and change course, depending on the boat's electronic systems it is entirely possible that it will just keep going on the current course. If the crew member on watch has fallen overboard, maybe trying to fix a problem or (if male) is relieving himself over the side and loses his balance - a depressingly common occurrence - that is what will happen. Reports say the middle-aged male skipper was found separate from the others. Unless the rest of the crew are alerted quickly, the casualty is left behind and the boat sails on potentially unsupervised. In this scenario there are still RISKS of course. Firstly making it easy to have a single point of failure. Technology helps people sail more short-handed than was once the case. The racing yachts would more likely have a number of people active on board, who would notice if someone fell off and hear an alert even one crew member down. Secondly technology's inability to operate beyond the world it is designed for, to recognise when it is outside its competence. ------------------------------ Date: Tue, 29 May 2012 12:31:33 +0200 From: Dag-Erling Sm=C3=B8rgrav <des_at_private> Subject: Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83) > http://www.youtube.com/watch?v=IFe9wiDfb0E That link doesn't seem to work any more. [It does. I failed to delete two extra `3D' strings that your mail system coerces. Now fixed. PGN] Here's the original: http://www.tomscott.com/life/ I should have probably have provided a summary: the video is an artist's impression of what you'd see if your consciousness was uploaded to silicon upon your death. It includes a sequence where the system edits the subject's memories to remove all occurrences of copyrighted works because the subject's estate can't afford the $19,000 monthly licensing fee. ------------------------------ Date: Mon, 28 May 2012 15:09:58 -0500 From: "Al Mac Wow = Alister William Macintyre" <macwheel99_at_private> Subject: Re: Illuminating dialog with a scammer There are several variations on this phone call phishing, which I think is a great risk to unsophisticated PC users. I have had several calls where I suspect this criminal underworld now has a data base of info they elicited from me in prior scam calls, to try to refine their technique. They now know I have two PCs in my house, and can tell me which one they are calling about. Internet Storm Center (ISC of SANS) is now tracking those Phishing phone calls, in Indian accent, which say they are from Microsoft Support, or some such variation. If you get one, you can now add your experiences to their statistics. https://isc.sans.edu/reportfakecall.html ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.86 ************************Received on Wed May 30 2012 - 16:55:04 PDT
This archive was generated by hypermail 2.2.0 : Wed May 30 2012 - 17:33:49 PDT