RISKS-LIST: Risks-Forum Digest Tuesday 17 July 2012 Volume 26 : Issue 92 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.92.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Major Snafu in New Zealand Election was 'Human Error' (Chris J Brady) FDA spied on its own people - and then the evidence leaked (Peter Houppermans) Deep packet inspection device purged of flaw that threatened TOR users (Ars Technica via Lauren Weinstein) Cyberoam fixes SSL snooping hole in network security appliances (Lucian Constantin via Gene Wirchenko) Privacy trumps cybersecurity! (PGN) Wireless Device syncs through anyone's computer (Richard Karash) In the UK, encryption implies potential guilt? (Lauren Weinstein) China censoring video (Didi Tang via Rodney Van Meter) FCC chief blasts Russia for passing Internet censorship bill (Brendan Sasso via Dewayne Hendricks) Yahoo Passwords Stolen in Latest Data Breach (Drew Fitzgerald via Monty Solomon) American Express security cluelessness (Jonathan Kamens) Re: San Diego fireworks suffer a *slight* glitch (Joel Garry) Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff (Roger Hird) Re: RBS computer failure condemns man (Martin Ward, Chris D.) Re: UK considers broad Web site blocking by default (Chris D.) Re: Taxing old browsers out of existence (Jonathan Kamens) Announcement of civil timekeeping meeting (Rob Seaman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 11 Jul 2012 06:09:50 -0700 (PDT) From: Chris J Brady <chrisjbrady_at_private> Subject: Major Snafu in New Zealand Election was 'Human Error' Human error is being blamed for the TECT election blunder where 10,000 election packs were sent to old or incorrect addresses. [Why did the database have old or incorrect addresses in it in the first place? - CJB] An error in setting the parameters in establishing the TECT election voter database resulted in the error, estimated to cost about NZ$80,000. TrustPower spokesman Graeme Purches says: ``the search parameters used when separating eligible voters from the company's everyday database had not been broad enough. It was just a human error, simple as that. It was for a purpose that we don't normally use it for.'' [Using casual NZ-speak for dumbing down the snafu - CJB] he continued: ``It involves going into the system and setting a bunch of parameters. The person who did it didn't set the parameters correctly and then the thing wasn't tested.'' [Er - what's a 'bunch of parameters' - ah - yes 'search constraints.'] He added: ``This is a request that happens once every two years, so somebody was doing something they don't normally do as part of their job and, unfortunately, we didn't have the checks and balances in place to make sure it was done absolutely correctly.'' [Nothing like a trial run then? -> CJB] http://www.sunlive.co.nz/news/28228-human-error-caused-tect-botchup.html ------------------------------ Date: Sun, 15 Jul 2012 13:09:22 +0200 From: Peter Houppermans <peter_at_private> Subject: FDA spied on its own people - and then the evidence leaked A absolute classic example of what can happen if surveillance isn't very tightly controlled, the FDA's attempts to find an insider leak came off the rails in a way that will be costly in both financial and human terms. http://www.nytimes.com/2012/07/15/us/fda-surveillance-of-scientists-spread-to-outside-critics.html?_r=1 http://j.mp/PURO0p "In Vast Effort, F.D.A. Spied on E-Mails of Its Own Scientists Eric Lichtblau and Scott Shane, *The New York Times*, 14 Jul 2012 A wide-ranging surveillance operation by the Food and Drug Administration against a group of its own scientists used an enemies list of sorts as it secretly captured thousands of e-mails that the disgruntled scientists sent privately to members of Congress, lawyers, labor officials, journalists and even President Obama, previously undisclosed records show." This is exactly the scenario I offer those who think they have nothing to hide: after abuse of intercept capability, the second risk is not what people in an official capacity see (it's their job), it's what happens when that information escapes into the wild through malice or incompetence. The privilege of the ability to violate the basic human right to privacy to fight crime must be guarded jealously and should only be exercised with oversight. The question "what do you have to hide" is in my opinion reserved for those who seek to avoid accounting for their call on that privilege. Note that the FDA has come up with a new "crime": people are "guilty of RECEIVING confidential information". Unbelievable.. Peter Houppermans, President, Private & Confidential Group (PnCG), Switzerland ------------------------------ Date: Mon, 9 Jul 2012 15:54:17 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Deep packet inspection device purged of flaw that threatened TOR users http://j.mp/NaSQDz (ars technica) "Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key," TOR researcher Runa A. Sandvik wrote in a blog post published last Tuesday. "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device-or to extract the key from the device and import it into other DPI devices, and use those for interception." Someone commenting on the post went on to publish the purported private key used by the Cyberoam certificate. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org ------------------------------ Date: Tue, 10 Jul 2012 20:39:58 -0700 From: Gene Wirchenko <genew_at_private> Subject: Cyberoam fixes SSL snooping hole in network security appliances (Lucian Constantin) Lucian Constantin, *InfoWorld*, 9 Jul 2012 Cyberoam issues a hotfix for UTM appliances after the default private key used for SSL traffic inspection gets leaked online http://www.infoworld.com/d/security/cyberoam-fixes-ssl-snooping-hole-in-network-security-appliances-197299 ------------------------------ Date: Wed, 11 Jul 2012 20:25:48 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Privacy trumps cybersecurity! Interesting analysis, in that many people don't understand the implications of the loss of privacy *or* of the nonexistence of meaningful cybersecurity. http://nationaljournal.com/daily/privacy-trumps-cybersecurity-poll-shows-20120710 ------------------------------ Date: Tue, 10 Jul 2012 15:52:22 -0400 From: Richard Karash <richard_at_private> Subject: Wireless Device syncs through anyone's computer FitBit is a personal pedometer in a tiny package. Also records your sleep. Connects wirelessly through a very modest "base station" connected by USB to your computer. The wireless connection is ANT 2.4GHz from Nordic, and ANT FS file protocol. Your FitBit data is harvested anytime you are near your base station, sent to their Cloud (a web site) for your inspection. Page displays your data and last sync time. I became suspicious when I found my data was updated when I hadn't been near my base station and computer. As just confirmed by the manufacturer at fitbit.com, every FitBit pedometer syncs through any base station that it happens to encounter. Unless the whole transaction is encrypted, Eve could watch the the communications stack or use the APIs to configure a base station to harvest this data. Risk: Not much in this specific case; my pedometer data isn't very sensitive, but I am more concerned that others might know exactly when I went to sleep, got up, and how many times I awoke during the night. What if a manufacturer of a richer device adopted the same practice? Your contacts or worse, visible to any Eve who wants to collect data? ------------------------------ Date: Thu, 12 Jul 2012 18:37:08 -0700 From: Lauren Weinstein <lauren_at_private> Subject: In the UK, encryption implies potential guilt? In The UK, You Will Go To Jail Not Just For Encryption, But For Astronomical Noise, Too http://j.mp/Sf2EwT (Falkvinge via NNSquad) "There was some surprise in the comments of yesterday's post over the fact that the United Kingdom has effectively outlawed encryption: the UK will send its citizens to jail for up to five years if they cannot produce the key to an encrypted data set." ------------------------------ Date: July 12, 2012 9:43:40 PM EDT From: Rodney Van Meter <rdv_at_private> Subject: China censoring video (Didi Tang) Didi Tang, *CIO Today*, July 12, 2012 [via Dave Farber's IP] At the same time Russia is increasing Internet censorship, so is China. China Tightens Up Online Video Censorship http://www.cio-today.com/news/China-To-Censor-Online-Video-Content-/story.x=html?story_id=030002R9QVAU If you run a video web site in China, you now have a daunting task: Screen all your content and censor out anything questionable before posting. Regulators say video providers should bear responsibility for web programs, though it did not offer specific standards or mention penalties for online providers who fail to comply. ------------------------------ Date: Thursday, July 12, 2012 From: *Dewayne Hendricks* Subject: FCC chief blasts Russia for passing Internet censorship bill (Brendan Sasso) Brendan Sasso, *The Hill*, 12 Jul 2012 http://thehill.com/blogs/hillicon-valley/technology/237515-fcc-chief-blasts-russia-for-passing-internet-censorship-bill Julius Genachowski, chairman of the Federal Communications Commission (FCC), issued a statement late Wednesday slamming Russia for passing a bill that would allow the government to blacklist certain websites. He said the country had moved in a "troubling and dangerous direction." "The world's experience with the Internet provides a clear lesson: a free and open Internet promotes economic growth and freedom; restricting the free flow of information is bad for consumers, businesses, and societies," he said. The FCC chief explained that he recently attended an economic forum in Russia where he discussed how expanding broadband Internet access can grow a country's economy and improve education, health care and government services. He argued that a free and open Internet is essential to meeting those goals. "I believe this legislation will stifle investment in broadband and impede innovations that could advance Russia's promising Internet economy," Genachowski said. The Russian Duma, its lower house of Parliament, approved the controversial bill unanimously on Wednesday. The measure would give the government the power to force site owners and Internet providers to shut down blacklisted sites. Supporters of the bill say it is aimed at curbing child pornography and sites that promote drug use or suicide. But critics warn it is attempt to stifle political dissent in a country where the government already owns the television stations. The Russian Wikipedia blacked itself out earlier this week in protest, warning the bill would create the Russian version of China's "great firewall," which allows the government to filter Internet content. ------------------------------ Date: Fri, 13 Jul 2012 00:14:53 -0400 From: Monty Solomon <monty_at_private> Subject: Yahoo Passwords Stolen in Latest Data Breach (Drew Fitzgerald) Drew Fitzgerald, Yahoo Passwords Stolen in Latest Data Breach, *Wall Street Journal*, 12 Jul 2012 Yahoo Inc. said it is investigating a data breach that allowed a hacker group to download about 453,000 unencrypted user names and passwords in another black eye for the Internet company. The Sunnyvale, Calif., company said Thursday that the compromised user information belongs to Yahoo Voices, a self-publishing service once known as Associated Content. A hacking organization called D33Ds Co. posted the stolen data on its website and appended a note describing the download "as a wake-up call and not as a threat." The group said it aims to expose Yahoo's vulnerabilities. Yahoo said that less than 5% of the Voices accounts had still-valid passwords, though the file disclosed email addresses from hundreds of thousands of users. Some people registered for the Yahoo service using email addresses from other services such as AOL Inc. and Google Inc.'s Gmail, neither of which were hacked. But with users' Yahoo Voices passwords exposed online, those users who shared passwords across several websites could still see other accounts compromised. Yahoo said in an emailed statement that it is fixing the vulnerability that led to the data breach. The company also said it is changing affected users' passwords and notifying companies with accounts that might have been compromised. Constellation Research analyst Ray Wang said Yahoo apparently fell prey to an extremely common kind of database attack that most companies typically take steps to combat. ... http://online.wsj.com/article/SB10001424052702304373804577522613740363638.html ------------------------------ Date: Wed, 4 Jul 2012 18:58:50 -0400 From: Jonathan Kamens <jik_at_private> Subject: American Express security cluelessness American Express called me today to discuss an issue with my (corporate) card. They left a voicemail message telling me to call them back. The number they gave was different than the number on the back of my card. I called it, and the first thing I heard was a recorded voice asking me to enter my credit card number. I hung up and called the number on the back of the card. It turns out the call was legitimate, but it could just have easily been a social engineering attempt to get my AmEx card number and other data. It's distressing that AmEx, which really should know better, is too stupid to understand that they should not be conditioning their customers to call random telephone numbers based on nothing more than a generic voicemail message. "Please call the number on the back of your card" would be a far better idea. ------------------------------ Date: Thu, 12 Jul 2012 14:12:05 -0700 (PDT) From: jgar the jorrible <joel-garry_at_private> Subject: Re: San Diego fireworks suffer a *slight* glitch (Lesher, RISKS-26.91) The company has an official statement: http://www.bigbayboom.com/wp-content/uploads/2012/07/BBBFS-Garden-State-News-Release-July-11-2012.pdf "Before the two files are loaded into each of the five computer controllers, the primary and the secondary file are merged through the software to create a new file that is then loaded into each of the controllers. During the downloading process, an unintentional additional procedural step occurred in the loading process which allowed the creation of an anomaly that 'doubled' the primary firing sequence. The primary sequence then consisted of a sequence that would fire the entire display simultaneously and then proceed to fire the display in the proper sequence." I wonder what that additional procedural step was? Shaky fingers on control-v paste? ------------------------------ Date: Wed, 11 Jul 2012 19:25:53 +0100 From: Roger Hird <rl.hird_at_private> Subject: Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff (RISKS-26.91) There was a substantial exchange of INFORMED professional comment on this incident in the Rumours and News forum of www.pprune.org about two weeks ago - including detailed consideration of the consequences of failure of each of the three hydraulic systems or combinations of them. The original newspaper report is stronger on passenger reports than on hard facts. The professionals did manage to worm out that the crew probably managed to bring one of the "failed" systems back into use before landing (it isn't clear on the limited information available if a second system had actually failed or just overheated as a consequence of the first one's failure). Professional opinion also included the possibility that the passenger nausea was only to be expected in flying a tight holding pattern over hot dessert for three hours, perhaps with yaw stabilisers off-line due to the failure. It's an interesting story and no doubt, since it is in civil aviation and in the USa, we will one day read a full and accurate account/diagnosis of what happened - unlike in most IT disasters - but I've learned over a year or so of consulting PPrune that media accounts like this need to be taken with a pinch of salt - or reviewed by professionals - I'm sure Martin Thomas would agree! Roger Hird <rl.hird@private> http://roger.hird.orpheusweb.co.uk ------------------------------ Date: Thu, 12 Jul 2012 11:10:57 +0100 From: Martin Ward <martin_at_private> Subject: Re: RBS computer failure condemns man ... (Goldberg, RISKS-26.91) Things do indeed go wrong in technology: and this is why it is *essential* to have systems in place to mitigate such failures. The RBS fiasco is a result of two independent, and utterly inexcusable, failings by RBS management *in addition to* the original failure: (1) No means to backtrack an update and restore the system to its original state. It is essential before undertaking any update to a critical system that there should be a means to quickly restore the system, in case of unexpected problems. Not having such a restore function is an inexcusable failure on the part of RBS management. (2) No disaster recovery in place. OK, so your update has rendered a critical system inoperable and you stupidly forgot to implement a system to restore it. There are many potential disasters which can render critical systems inoperable: so disaster recovery systems are essential. Not having a working disaster recovery system is an inexcusable failure on the part of RBS management. Note that customers will be reimbursed for the cost of fines and fees: i.e. the bank will graciously waive the fees *they* would have charged for problems *they* have caused, but they are refusing to pay any compensation for the problems they have caused. So there is no incentive for the bank to spend any money on system restore features or disaster recovery in the future. So we can expect similar failures to occur again. STRL Reader in Software Engineering and Royal Society Industry Fellow martin@private http://www.cse.dmu.ac.uk/~mward/ ------------------------------ Date: Thu, 12 Jul 2012 22:01:35 +0100 From: "Chris D." <e767pmk_at_private>S Subject: Re: RBS computer failure condemns man ... (Goldberg, RISKS-26.91) As mentioned, UK media have had little technical detail but a tsumani of finger-pointing and pontification (accidents don't happen by accident nowadays, someone always has to be blamed and punished!), though one report commented that historically, British bank branches only opened 9am-3pm Monday-Friday, thus giving plenty of time overnight for processing each day's transactions, and whole weekends for software updates. Nowadays bank branches are open during normal retail store hours and many customers handle their accounts on-line, so banking runs 24/7, hence any hold-up quickly creates a huge backlog of data to be processed. ------------------------------ Date: Thu, 12 Jul 2012 22:01:35 +0100 From: "Chris D." <e767pmk_at_private> Subject: Re: UK considers broad Web site blocking by default (RISKS-26.91) Comment from a Brit: and if you have the block in place but attempt to access barred sites, is this also recorded? What nobody's really explained is how 'unsuitable' web sites are to be identified and blocked; people talk as if ISP sysadmins just have to uncheck the box marked "allow pornography" and we're safe... I haven't actually done any research here (!), but presumably 'unsuitable' (who decides?) web sites don't always have distinguishing features, so blocking would have to work on a similar basis to spam e-mail filters (e.g. Bayesian), with the same hit-and-miss success rates. The large telecomms company where I used to work had a commercial web filter facility which was laughable in its effectiveness (though in this case it was probably intended more to avoid embarrassing "Employees Download Porn With Company Computers" headlines than protect workers' sensitivities), but each filter 'hit' warning screen had a reminder that the attempt was recorded for possible disciplinary action. (Allegedly in the early days it only used URLs so could be circumvented with the IP address of a banned site.) Incidentally, a woman columnist in the newspaper described her concern at discovering that her husband spent much time on the website http://modelingmadness.com/, which turned out to be about his hobby of scale models of World War 2 fighter aircraft, rather than glamorous women... ------------------------------ Date: Fri, 29 Jun 2012 04:56:34 -0400 From: Jonathan Kamens <jik_at_private> Subject: Re: Taxing old browsers out of existence (RISKS-26.90) Mark Thorson is "disturbed" by a retailer charging an extra fee for users who make purchases using IE7. I am more sanguine. * From an economic point of view, the continued use by many people of extremely old browsers is a bane on the existence of web developers. It costs companies real money in terms of increased development, QA and maintenance time on their web applications. * From a progress point of view, the resources spent supporting old, buggy browsers lacking many of the features of modern ones could otherwise have been spent progressing application technology in useful ways, and thus the continued existence of very old browsers in the user space hampers forward progress. * From a security point of view, while it's true that new vulnerabilities are being identified and patched in modern browsers every day, there are surely also many vulnerabilities in the old, obsolete browsers, and those _aren't_ being patched. Thus, it seems to me that their users are overall more vulnerable to threats than users of modern browsers. (On the other hand, this is merely my personal theory / impression; I concede that one could just as easily argue that attackers don't bother as much to go after really old browsers, and many newly exploited vulnerabilities are in technologies that don't exist in old browsers.) The small-l-libertarian and free-market-capitalist in me says that if this particular retailer has decided that the "IE7 fee" makes economic sense for them, they're perfectly within their rights to impose it, and their customers are perfectly within their rights to shop elsewhere if they don't approve. ------------------------------ Date: Tue, 10 Jul 2012 11:44:37 -0700 From: Rob Seaman <seaman_at_private> Subject: Announcement of civil timekeeping meeting "Requirements for UTC and Civil Timekeeping on Earth" A Colloquium Addressing a Continuous Time Standard to be held at the University of Virginia, Charlottesville, VA May 29-31, 2013, http://futureofutc.org This is a successor to the meeting "Decoupling Civil Timekeeping from Earth Rotation" held in October 2011, with proceedings available from the American Astronautical Society (http://www.univelt.com/book=3D3042). In January 2012, a proposal to redefine Coordinated Universal Time (UTC)= without leap seconds was discussed at the Radiocommunication Assembly of the International Telecommunication Union (http://youtu.be/C-2UqYW9SEs). Decision was postponed to the 2015 RA pending study of the issue. This meeting will explore the underlying engineering requirements for civil timekeeping. Meanwhile the leap second at the end of June 2012 triggered bugs in the Linux kernel: http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html While it may not have lived up to the hyperbole ("leap second crashes half the Internet" - not the half I was using at the time, and no reported issues from my organization) this points up risks on one side of the issue. These risks would have been mitigated by more extensive testing of kernel updates, and by installing the updates that were tested. Google had a completely different framework for handling the issue: http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html It will be interesting to see what lessons were learned for future leap seconds. However, redefining UTC would also present risks: http://www.cacr.caltech.edu/futureofutc/2011/preprints/01_AAS_11-660.pdf We welcome abstracts from diverse communities, with the goal of clarifying the nature of the problem space before entertaining solutions. Rob Seaman, National Optical Astronomy Observatory http://futureofutc.org ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.92 ************************Received on Tue Jul 17 2012 - 12:53:23 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 13:31:08 PDT