[RISKS] Risks Digest 26.97

From: RISKS List Owner <risko_at_private>
Date: Wed, 15 Aug 2012 15:27:49 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 15 August 2012  Volume 26 : Issue 97

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.97.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Knight Capital software upgrade costs $440m (Martyn Thomas)
Errant Trades Reveal a Risk Few Expected (NYT via Monty Solomon)
Hand wringing over Knight Capital software bugs (Henry Baker with
  excerpts from Ellen Ullman's OpEd)
DMV computer fails to make friends (Ellen Huet via Paul Saffo)
NTT DoCoMo outage (Rodney Van Meter)
Verizon 911 failures had multiple causes (David Lesher)
JFK security is breached by man who swam ashore (Sean Peisert)
Kaspersky Lab on Gauss, Flame, Stuxnet (PGN)
Wikileaks reveals TrapWire, a government spy network that uses ordinary
  surveillance cameras (Annalee Newitz via Dave Farber's IP)
Mat Honan hacked (Mat Honan via Marv Schaefer)
Ensure Phone is Off Before Engaging in Crime (Mark Brader)
Claims of medical patient info encrypted, held for ransom (Danny Burstein)
Microsoft sorry over 'big boobs' software code (Martyn Thomas)
RBS to pay out 125 million pounds (Martyn Thomas)
Re: Where Did the Internet Really Come From?  (Steve Crocker via Dave Farber)
Re: Best Typo Ever Runs A-1 in the Los Angeles Times (Phil Holden)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 03 Aug 2012 10:25:10 +0100
From: Martyn Thomas <martyn_at_thomas-associates.co.uk>
Subject: Knight Capital software upgrade costs $440m

http://www.usatoday.com/money/economy/trade/story/2012-08-02/Knight-Capital-trading-glitch/56692822/1

A technical problem that briefly threw dozens of stocks into chaos Wednesday
will cost Knight Capital Group $440 million, the trading firm said Thursday.
Knight's stock plunged for a second day, erasing 70% of its value in two
days. The company also said it is pursuing ways to raise money to fund the
expense, raising questions about the firm's viability.  ...

"You cannot keep people from doing stupid things," Joyce said in an
interview on Bloomberg Television.  "That is what happens when you have a
culture of risk."

Since the glitch, Knight's stock has fallen to $2.86 from $10.33 on
Tuesday. Knight takes orders from brokers like ETrade and TD Ameritrade
<http://content.usatoday.com/topics/topic/TD+Ameritrade> and routes them to
the exchanges where shares are traded.

Knight Capital Group said the problem was triggered when it installed new
trading software, which resulted in the company sending numerous erroneous
orders in 140 stocks listed in the New York Stock Exchange
Those orders were responsible for some sudden swings in stock prices and
surging trading volume shortly after the market opened Wednesday.
<http://content.usatoday.com/topics/topic/Organizations/Companies/Banking,+Financial,+Insurance,+Law/New+York+Stock+Exchange>.

Wizzard Software shot above $14 after closing the night before at $3.50,
according to FactSet. Abercrombie & Fitch jumped 9% within minutes, hitting
$36.75 after closing the night before at $33.80. Harley-Davidson suddenly
fell 12%, to $37.84 from $43.23. ...

Knight Capital said Thursday the software has been removed and that its
clients were not negatively affected.

For investors, it was the latest breakdown in the increasingly complicated
electronic systems that run stock trading. Those systems have been showing
signs of strain as more traders and big investment firms use powerful
computers to carry out trades in fractions of a second.

The latest disruption came in May, when technical problems on the Nasdaq
stock market marred Facebook's debut as a public company, preventing some
investors from knowing if they'd bought shares or being able to sell them.

The most visible and chaotic malfunction occurred in May 2010, when the Dow
Jones industrial average dropped nearly 600 points in five minutes, an event
dubbed the "flash crash." The problem at that time was also traced to
technical glitches. ...

"This software problem was an infrastructure problem," Thomas Joyce told
Bloomberg TV. "It had nothing to do with our quantitative models and nothing
to do with our market-making models. This was something that was separate
and distinct from trading."

------------------------------

Date: Fri, 3 Aug 2012 00:25:13 -0400
From: Monty Solomon <monty_at_private>
Subject: Errant Trades Reveal a Risk Few Expected (*The New York Times*)

1. Nathaniel Popper and Peter Eavis, *The New York Times*, 2 Aug 2012
http://dealbook.nytimes.com/2012/08/02/errant-trades-reveal-a-risk-few-expected/

Errant trades from the Knight Capital Group began hitting the New York Stock
Exchange almost as soon as the opening bell rang on Wednesday.  The trading
firm Knight Capital recently rushed to develop a computer program so it
could take advantage of a new Wall Street venue for trading stocks.  But the
firm ran up against its deadline and failed to fully work out the kinks in
its system, according to people briefed on the matter.  In its debut
Wednesday, the software went awry, swamping the stock market with errant
trades and putting Knight's future in jeopardy.

The fiasco, the third stock trading debacle in the last five months, revived
calls for bolder changes to a computer-driven market that has been hobbled
by its own complexity and speed. Among the proposals that gained momentum
were stringent testing of computer trading programs and a transaction tax
that could reduce trading. ...

2. Jessica Silver-Greenberg and Ben Protess, *The New York Times*, 2 Aug 2012
Trying to Be Nimble, Knight Capital Stumbles
http://dealbook.nytimes.com/2012/08/02/trying-to-be-nimble-knight-capital-stumbles/

Traders from the Knight Capital Group watched from the floor of the New York
Stock Exchange as Knight's chief, Thomas Joyce, was interviewed on
television.  As the leader of one of the largest brokerage firms in the
nation, Thomas M. Joyce has been an unapologetic advocate of electronic
trading and one of the most vociferous critics of companies that struggled
to keep up with the ever-changing stock market.  Now, Mr. Joyce, a longtime
trader who seized the reins of the Knight Capital Group in 2002, is fighting
for his company's survival.

In a bid to keep a grip on its customers, Knight pushed to introduce a new
system that would position it competitively amid market changes that took
effect on Wednesday, according to people briefed on the matter. Unlike
rivals that hesitated, Knight Capital's presence on Day 1 would ensure
bragging rights and extra profits.  But in the rollout of the system that
morning, Knight created a blizzard of erroneous orders to buy shares of
major stocks. The orders caused wild swings that affected the shares of more
than 100 companies, including Ford Motor, RadioShack and American
Airlines. ...

------------------------------

Date: Sun, 12 Aug 2012 12:45:27 -0700
From: Henry Baker <hbaker1_at_private>
Subject: Hand wringing over Knight Capital software bugs (with excerpts
  from Ellen Ullman's OpEd)

We in the software community can always do better, but I'm not as upset by
the Knight Capital problems as many people are.  The system worked: Knight
Capital wasn't too big to fail, and it was rescued by non-governmental
action.

Rather than the software community wringing its hands over the Knight
Capital (see Ellen Ullman's *NYTimes* Op Ed, below), I think that software
practises should be promulgated into other parts of society -- particularly
the legal system.  "Bugs" in the laws passed by Congress and state
legislatures cost the country perhaps one Knight Capital's worth of loss
every few minutes -- i.e., multi-hundreds of billions of dollars every year.
If there is hand wringing to be done, it should be over these failures, not
over the failure of Knight Capital.

The software community learns humility very early, when our best-laid plans
are destroyed by the cold logic of the computer.  If we are lucky, the vast
majority of our learning occurs very quickly, during early unit testing, so
that relatively few bugs make it even to alpha testing.  Lawyers, on the
other hand, who probably got into law because they hated math and computers,
have not had the computer as strict task-master to teach them the humility
of following errant logic to its mostly bitter conclusions.  As a result,
they are the least likely people to be able to foresee the consequences of
their follies.

NASA has had its embarrassing public failures over the years, but its recent
landing on Mars was spectacularly successful, given the complexity of the
mission and its landing sequence.  NASA seems to have learned over the years
that everything must be tested, retested, and then tested again.

The US FDA was caught flat-footed in the thalidomide scandal circa 1960, and
has since tried to keep improperly tested drugs off the market--a goal in
which it has largely succeeded.  Recognizing that every drug has bad
side-effects, the FDA requires that each drug be tested not only for
minimizing harm, but also efficacy in treating whatever symptoms it proposes
to relieve or mitigate.

Perhaps Congress and state legislatures could utilize an "FDA" for proposed
legislation; each proposed law would have to show that it would not harm
society, but would also have to show through a properly-controlled
double-blind experiment that its implementation would actually help society.
After all, these same legislatures require this type of "environmental
impact statement" on every _private_ development; it would be only fitting
to require the same for _all_ proposed legislation by Congress and state
legislatures.  While this hurdle would no doubt dramatically reduce the
amount of legislation passed, it would still have a positive result, due to
the elimination of the vast majority of legislative "patches" that are
required to fix the previous legislative "patches".

The "open source" software community has shown the wisdom of "many hundreds
or thousands of eyes" looking over the same code; perhaps all legislation
requires a minimum of 3-6 months of intense public scrutiny prior to being
able to come to a vote which will saddle 300 million people with additional
regulatory burdens and tax bills.

U.S. Supreme Court Justice Louis Brandeis talked of the states as
"laboratories of democracy", in which controlled experiments could be
performed prior to foisting these laws upon all of the states.  Congress and
state legislatures would be well advised to perform far more of these small
experiments before forcing all of us to endure "legal system 2.0", when we'd
be better off waiting for "legal system 2.23" after most of the bugs had
been worked out.

Errant Code? It's Not Just a Bug
Ellen Ullman, *The New York Times*, Op-Ed Contributor, 8 Aug 2012
http://www.nytimes.com/2012/08/09/opinion/after-knight-capital-new-code-for-trades.html

As a former software engineer, I laughed when I read what the Securities and
Exchange Commission might be considering in response to the debacle of
Knight Capital's runaway computerized stock trades: forcing companies to
fully test their computer systems before deploying coding changes.

That policy may sound sensible, but if you know anything about computers
[and have read RISKS, says PGN, who has PGN-ed the Op-Ed piece, but urges
you to dig it up]], it is funny on several accounts.

First, it is impossible to fully test any computer system. [...]

Next, there is no such thing as a body of code without bugs. [...]

So now consider that tangle of modules. The bug in one meets the bug in
another, and that one in another ... and the possibility of system failure
multiplies exponentially.

Another absurd thing is trying to define a coding change worth fully
testing. [...]

And I haven't even mentioned the errors in algorithms devised by all the
Ph.D. mathematicians hired to work at Wall Street firms. Written by geniuses
they may be, but even Einstein sometimes got things wrong.

The best solution would be to bring back the `market makers' of old, the
people who stood between the bid and the asking price and were responsible
for making the trade work. Yet I cannot imagine they will return. Technology
does not run backward. Once a technical capability is out there, it is out
there for good.

The only remaining answer is to go forward. Just as offensive speech is
remedied by more speech, the remedy for errant code is more code. [...]

It is indeed laughable to think that programmers, alone, can solve problems
like those at Knight Capital. The credit card model informs us: we need code
and attentive human beings.

But the indispensable component is the protection induced by the rule of
law.  Credit card issuers get stuck with the bill. If Knight Capital and
other firms were forced to pay back everyone -- everyone -- who got caught
in their downdraft, just imagine what brilliant systems the companies would
devise.

Ellen Ullman is the author, most recently, of the novel, By Blood.

A version of this op-ed appeared in print on 9 Aug 2012, on page A23 of
the New York edition with the headline: Errant Code? It's Not Just a Bug.
[It is well worth reading in its entirety.  PGN]

------------------------------

Date: Tue, 14 Aug 2012 13:28:39 -0700
From: Paul Saffo <paul_at_private>
Subject: DMV computer fails to make friends (Ellen Huet)

http://www.sfgate.com/bayarea/article/DMV-computer-fails-to-make-friends-3787457.php

Ellen Huet, *San Francisco Chronicle, 14 Aug 2012
(ehuet_at_private, Twitter: @ellenhuet)

Computer systems at all California Department of Motor Vehicles offices
broke down for more than 4 hours on the morning of 14 Aug 2012, beginning
before 7:30am, which prompted field offices to turn away or reschedule
appointments.  The offices had phone service but lost access to the Internet
and to DMV's internal networks. Customers who had Internet access could
still use the DMV website to process certain requests, and driver road tests
were still being conducted.

The crash occurred because AT&T made some changes overnight to routers at
several state agencies, including the Business, Transportation and Housing
Agency, the umbrella organization which includes the DMV.  In addition, the
DMV also experienced a failure with its own internal agency router that
relies on Verizon.

http://www.sfgate.com/bayarea/article/DMV-computer-fails-to-make-friends-3787457.php#ixzz23YR2tY8q

  [Also noted by Rob McCool.  PGN]

------------------------------

Date: Fri, 3 Aug 2012 08:42:47 +0900
From: Rodney Van Meter <rdv_at_private>
Subject: NTT DoCoMo outage

I almost missed getting to have dinner with my wife on our anniversary
because NTT DoCoMo had a phone outage across much of Japan for an hour and
forty minutes just as I was leaving campus, trying to catch her to arrange
dinner. DoCoMo is blaming some sort of management server for mobile number
portability (allowing you to change from DoCoMo to Softbank and keep the
same number, which I think about doing more and more often).

The outage began at 18:00 local time on 2 Aug 2012, continued until 19:42.
My own experience, starting around 19:00, was that voice and SMS did not
work, but that packet data (HSDPA or straight 3G) did.  I could surf the web
or send and receive email, from my DoCoMo mail account to my Gmail account
(which I also read on my phone).  The DoCoMo mail (called sp-mode) I sent to
my wife, however, appears never to have arrived.

(DoCoMo's mail system (at least as implemented on Android) is some complex
thing that uses part of the circuit side (SMS, I believe, though I'm not
certain) for signaling the availability of a message on the server, then a
packet side connection to retrieve the message.  On some software releases,
you can receive notification of email but not the email itself when your
phone is connected to a WLAN; my guess is that they have their mail servers
firewalled from the Internet at large.)

My info about blaming the MNP management server came from the 11pm NHK
newsbreak.  DoCoMo's website contains a no-details acknowledgement of the
outage, dated 8:30pm (twelve hours ago), nothing since.  So far, even that's
only available in Japanese.
http://www.nttdocomo.co.jp/info/network/kanto/pages/120802_3_d.html

Rodney Van Meter, associate professor, Faculty of Environment andrdv
Information Studies, Keio University, Japan http://web.sfc.keio.ac.jp/~rdv/

------------------------------

Date: Tue, 14 Aug 2012 11:46:42 -0400
From: David <wb8foz_at_private>
Subject: Verizon 911 failures had multiple causes

During our recent derecho, Verizon's 911 service failed over large areas of
Northern Virgina. A new report details the event:

"Verizon officials did not know that 911 emergency service was out in
Fairfax County during June's derecho storm until the county called to tell
them...."

"Maureen Davis, vice president of Verizon's network operations for the
Mid-Atlantic region, said in an interview that the company also made a
mistake in treating the problem as a service complaint rather than the
large-scale outage that it was. ..... as the problems escalated at two
offices -- Verizon's central office in Arlington and another in Fairfax that
route calls for multiple 911 centers, Davis said."  "...batteries carried
the system for about six hours at each site. Backup generators should then
have shouldered the load. But the generators failed, Verizon said in the
report, despite having been tested three days earlier."

{Load exceeded generator capacity}

"...tests did not check whether equipment that automatically signals a
generator to work during a blackout was functioning properly, Davis said.
The equipment failed during the storm."

This is a throwback to the 17 Sept 1991 ATT outage in NYC, where there was
no one to respond to the power failure alarm.  (RISKS-12.43)
<http://catless.ncl.ac.uk/Risks/12.43.html#subj2.2>

<http://www.washingtonpost.com/local/crime/verizon-details-errors-in-derecho-calls-response-to-911-outages-insufficient/2012/08/13/e2589596-e57f-11e1-8741-940e3f6dbf48_print.html>

------------------------------

Date: Mon, 13 Aug 2012 20:52:56 -0700
From: Sean Peisert <peisert_at_private>
Subject: JFK security is breached by man who swam ashore

I think you would find this some combination of amusing and appalling.

http://www.sfgate.com/business/article/JFK-security-is-breached-by-man-who-swam-ashore-3783708.php

Authorities said the trouble began Friday evening when 31-year-old Daniel
Casillo's jet ski ran out of fuel in Jamaica Bay. Casillo swam toward the
bright lights of Kennedy's runway 4L, which juts out into the bay, then
climbed an 8-foot fence that is part of the airport's state-of-the-art
Perimeter Intrusion Detection System, authorities said.

Soaking wet, wearing a bright yellow life jacket, Casillo made his way
across two intersecting runways -- an estimated distance of nearly two miles
-- before he was spotted on a terminal ramp by an airline employee,
authorities said.

According to the police report, Casillo told an officer: "I needed help!"

The intrusion-detection system, manufactured by defense contractor Raytheon
Co., should have set off a series of warnings, said Bobby Egbert, spokesman
for the Port Authority police officers union.

"This system is made specifically for those types of threats -- water-borne
threats," Egbert said. "It did not detect him climbing over a fence. It did
not detect him crossing two active runways."

http://www.nbcnewyork.com/news/local/Security-Breach-JFK-Jetski-Jamaica-Bay-Airline-165959376.html

------------------------------

Date: Thu, 9 Aug 2012 10:30:55 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Kaspersky Lab on Gauss, Flame, Stuxnet

Complex Cyber-Threat Designed to Monitor Online Banking Accounts

Is this connected with Flame and Stuxnet, therefore a US operation?
This article implies that.

Kaspersky Lab Discovers Gauss, A New Complex Cyber-Threat Designed
to Monitor Online Banking Accounts, *BusinessWire*, 9 Aug 2012
http://eon.businesswire.com/news/eon/20120809005743/en/Kaspersky-Lab/Kaspersky/Gauss

Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed
to steal sensitive data, with a specific focus on browser passwords, online
banking account credentials, cookies, and specific configurations of
infected machines.  The online banking Trojan functionality found in Gauss
is a unique characteristic that was not found in any previously known
cyber-weapons.

Gauss was discovered during the course of the ongoing effort initiated by
the International Telecommunication Union (ITU), following the discovery of
Flame. The effort is aimed at mitigating the risks posed by cyber-weapons,
which is a key component in achieving the overall objective of global
cyber-peace.

ITU, with expertise provided by Kaspersky Lab, is taking important steps to
strengthen global cyber-security by actively collaborating with all relevant
stakeholders such as governments, the private sector, international
organizations and civil society, in addition to its key partners within the
ITU-IMPACT initiative.

Kaspersky Lab's experts discovered Gauss by identifying commonalities the
malicious program share with Flame. These include similar architectural
platforms, module structures, code bases and means of communication with
command& control (C&C) servers.

Quick facts:

* Analysis indicates that Gauss began operations in the September 2011
  timeframe.

* It was first discovered in June 2012, resulting from the knowledge gained
  by the in-depth analysis and research conducted on the Flame malware.

* This discovery was made possible due to strong resemblances and
  correlations between Flame and Gauss.

* The Gauss C&C infrastructure was shutdown in July 2012 shortly after its
  discovery. Currently the malware is in a dormant state, waiting for its
  C&C servers to become active.

* Since late May 2012, more than 2,500 infections were recorded by Kaspersky
Lab's cloud-based security system, with the estimated total number of
victims of Gauss probably being in the tens of thousands.  This number is
lower compared to the case of Stuxnet but it's significantly higher than the
number of attacks in Flame and Duqu.

* Gauss steals detailed information about infected PCs including browser
  history, cookies, passwords, and system configurations. It is also capable
  of stealing access credentials for various online banking systems and
  payment methods.

* Analysis of Gauss shows it was designed to steal data from several
  Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank,
  FransaBank and Credit Libanais. In addition, it targets users of Citibank
  and PayPal.

The new malware was discovered by Kaspersky Lab's experts in June 2012. Its
main module was named by the unknown creators after the German mathematician
Johann Carl Friedrich Gauss. Other components bear the names of famous
mathematicians as well, including Joseph-Louis Lagrange and Kurt
Gödel. The investigation revealed that the first incidents with Gauss
date back as early as September 2011.  In July 2012 the command and control
servers of Gauss stopped functioning.

Multiple modules of Gauss serve the purpose of collecting information from
browsers, which include the history of visited websites and passwords.
Detailed data on the infected machine is also sent to the attackers,
including specifics of network interfaces, the computer's drives and BIOS
information. The Gauss module is also capable of stealing data from the
clients of several Lebanese banks including the Bank of Beirut, EBLF,
BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users
of Citibank and PayPal.

Another key feature of Gauss is the ability to infect USB thumb drives,
using the same LNK vulnerability that was previously used in Stuxnet and
Flame. At the same time, the process of infecting USB sticks is more
intelligent. Gauss is capable of disinfecting the drive under certain
circumstances, and uses the removable media to store collected information
in a hidden file. Another activity of the Trojan is the installation of a
special font called Palida Narrow, and the purpose of this action is still
unknown.

While Gauss is similar to Flame in design, the geography of infections is
noticeably different. The highest number of computers hit by Flame was
recorded in Iran, while the majority of Gauss victims were located in
Lebanon. The number of infections is also different. Based on telemetry
reported from the Kaspersky Security Network (KSN), Gauss infected
approximately 2,500 machines. In comparison, Flame was significantly lower,
infecting closer to 700 machines.

Although the exact method used to infect the computers is not yet known, it
is clear that Gauss propagates in a different manner to Flame or Duqu;
however, similar to the two previous cyber-espionage weapons, Gauss's
spreading mechanisms are conducted in a controlled fashion, which emphasize
stealth and secrecy for the operation.

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: ``Gauss
bears striking resemblances to Flame, such as its design and code base,
which enabled us to discover the malicious program. Similar to Flame and
Duqu, Gauss is a complex cyber-espionage toolkit, with its design
emphasizing stealth and secrecy; however, its purpose was different to Flame
or Duqu. Gauss targets multiple users in select countries to steal large
amounts of data, with a specific focus on banking and financial
information.''

At the present time, the Gauss Trojan (Trojan-Spy.Win32.Gauss) is
successfully detected, blocked and remediated by Kaspersky Lab's products.

The company's experts have published in-depth analysis of the malware at
Securelist.com:
http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution

A Gauss FAQ containing the essential information about the threat is
also available: http://www.securelist.com/en/blog?weblogid=208193767

Stay tuned for updates by following our Facebook page:
https://www.facebook.com/Kaspersky?ref=ts

Kaspersky Lab:
   Tim Whitman, 781-503-7804 timothy.whitman_at_private
   Joel Harding, Information Operations Holistic Organizer (IOHO)
   http://toinformistoinfluence.com   (703) 362-8582

------------------------------

Date: August 12, 2012 9:27:35 PM EDT
From: Labmanager <labmanager_at_private>
Subject: Wikileaks reveals TrapWire, a government spy network that uses
  ordinary surveillance cameras (Annalee Newitz via Dave Farber's IP)

http://io9.com/5933966/wikileaks-reveals-trapwire-a-government-spy-network-that-uses-ordinary-surveillance-cameras

It's just like an episode of Person of Interest. According to documents
leaked on Wikileaks, the government has created a piece of technology,
called TrapWire, that siphons data from surveillance cameras in stores,
casinos, and other businesses around the country. Apparently agents can use
facial recognition software to analyze this footage for, well, people of
interest.  Are we living in a total surveillance state without even
realizing it?

Over at Business Insider, David Seaman reports on the contents of the
documents at Wikileaks:

Every few seconds, data picked up at surveillance points in major cities and
landmarks across the United States are recorded digitally on the spot, then
encrypted and instantaneously delivered to a fortified central database
center at an undisclosed location to be aggregated with other
intelligence. It's part of a program called TrapWire and it's the brainchild
of the Abraxas, a Northern Virginia company staffed with elite from
America's intelligence community.

The employee roster at Arbaxas reads like a who's who of agents once with
the Pentagon, CIA and other government entities according to their public
LinkedIn profiles, and the corporation's ties are assumed to go deeper than
even documented. The details on Abraxas and, to an even greater extent
TrapWire, are scarce, however, and not without reason. For a program touted
as a tool to thwart terrorism and monitor activity meant to be under wraps,
its understandable that Abraxas would want the program's public presence to
be relatively limited. But thanks to last year's hack of the Strategic
Forecasting intelligence agency, or Stratfor, all of that is quickly
changing."

So: those spooky new "circular" dark globe cameras installed in your
neighborhood park, town, or city-they aren't just passively monitoring.
They're plugged into Trapwire and they are potentially monitoring every
single person via facial recognition.

Currently it's pretty hard to reach Wikileaks to read the papers yourself,
because the site has been crushed under an onslaught of DDOS attacks, which,
... how convenient is that, conspiracy theorists? But you can still see a
description of Abraxas' Tripwire technology here, at the USPTO.

------------------------------

Date: Mon, 13 Aug 2012 15:01:24 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Mat Honan hacked

(Matt Honan's Tumblr via Marv Schaefer, with apologies to Lamont Cranston!)

It appears that Apple's misguided security engineers have finally gained
full focus spotlight celebritydom (or is it celebritydumb?).  "Wired's Mat
Honan got hacked hard over the weekend, and the attacker wiped out his
iPhone, iPad, and Mac. "

The full article is of interest, but here's the opening....
http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

/*Yes, I was hacked. Hard.*

So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo's Twitter
account blow up. Or you saw this in AllThingsD. Or this in the DailyDot.
Although embarrassing, Twitter was the least of it. In short, someone gained
entry to my iCloud account, used it to remote wipe all of my devices, and
get entry into other accounts too.

Here's what happened:

At 4:50 PM, someone got into my iCloud account, reset the password and sent
the confirmation message about the reset to the trash. My password was a 7
digit alphanumeric that I didn't use elsewhere. When I set it up, years and
years ago, that seemed pretty secure at the time. But it's not.  Especially
given that I've been using it for, well, years and years. My guess is they
used brute force to get the password (see update) and then reset it to do
the damage to my devices.

The backup email address on my Gmail account is that same .mac email
address. At 4:52 PM, they sent a Gmail password recovery email to the .mac
account. Two minutes later, an email arrived notifying me that my Google
Account password had changed.

At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time
ago, I had linked my Twitter to Gizmodo's they were then able to gain entry
to that as well.

  [Mat Honan's written an updated column explaining the details of the
  hacking, how it was done, and how his naiveté about security helped
  lead to his being so thoroughly hacked.  See http://bit.ly/PB2mMO]

------------------------------

Date: Mon, 13 Aug 2012 17:13:26 -0400 (EDT)
From: msb_at_private (Mark Brader)
Subject: Ensure Phone is Off Before Engaging in Crime

According to police in Scranton, Pennsylvania, the arrest of a suspect
following a drug deal was facilitated by the fact that he had accidentally
dialed 911, leading to the entire conversation being recorded.
  http://news.cnet.com/8301-17852_3-57491650-71/any

Mark Brader, Toronto, msb_at_private

------------------------------

Date: Fri, 10 Aug 2012 19:45:45 -0400 (EDT)
From: Danny Burstein <dannyb_at_private>
Subject: Claims of medical patient info encrypted, held for ransom

Surgeons of Lake County [Illinois], LLC Server Breach Incident Triggers
Investigation as to Whether Patient Information May Have Been Compromised

The Surgeons of Lake County, LLC ("Surgeons") announced today that an
unauthorized user had gained access to - and encrypted - their server in an
attempt to force payment from Surgeons in exchange for the password needed
to regain access to the server.

Surgeons learned of the incident on June 25, 2012, when it discovered that
an unauthorized user had gained remote access to a server containing
Surgeons' corporate email and electronic medical records. The unauthorized
user posted a message on the server stating that the contents of the server
had been encrypted and could only be accessed with a password that would
only be supplied if Surgeons made the demanded payment. Upon receiving the
demand, the server was turned off, and has not been turned back on.

(rest of story details the usual followups)
  http://enewschannels.com/2012/07/20/enc15049_132901.php

------------------------------

Date: Sat, 04 Aug 2012 16:07:22 +0100
From: Martyn Thomas <martyn_at_thomas-associates.co.uk>
Subject: Microsoft sorry over 'big boobs' software code

Not all risks are executable.

The string "0xB16B00B5", a hexadecimal value, was found in software that
allows Microsoft programs to work with Linux, the open source operating
system.  It prompted widespread criticism of Microsoft and debate over
whether a "boys club" culture deters women from entering the software
industry.  Microsoft quickly apologised for the inclusion of the term and
updated the code to remove it.

http://www.telegraph.co.uk/technology/microsoft/9415234/Microsoft-sorry-over-big-boobs-software-code.html

------------------------------

Date: Fri, 03 Aug 2012 10:27:06 +0100
From: Martyn Thomas <martyn_at_thomas-associates.co.uk>
Subject: RBS to pay out 125 million pounds (Re: RISKS-26.91,92)

Royal Bank of Scotland (RBS) has put aside Ł125m to pay compensation to
customers affected by the recent breakdown in its computer systems.  Account
holders at RBS and its NatWest and Ulster Bank subsidiaries faced disruption
for up to two weeks in June after a software upgrade at the bank.
  http://www.bbc.co.uk/news/business-19107537

------------------------------

Date: Sat, 4 Aug 2012 14:17:12 -0700
From: Dave Farber <dave_at_private>
Subject: Re: Where Did the Internet Really Come From? (Steve Crocker)

  [Excellent item.  Very well worth reading.  PGN]

http://techpresident.com/news/22670/where-did-internet-really-come

------------------------------

Date: Sun, 5 Aug 2012 21:24:56 +0100
From: Phil Holden <eeyore_at_private>
Subject: Re: Best Typo Ever Runs A-1 in the Los Angeles Times (Tessa Stuart)

I thought the typo in RISKS-26.92 was funnier:

Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff

> Professional opinion also included the possibility that the passenger
> nausea was only to be expected in flying a tight holding pattern over hot
> dessert for three hours, perhaps with yaw stabilisers off-line due to the
> failure.

Perhaps the passengers were hungry and the sight of syrup sponge or
chocolate pudding or maybe apple pie like Mom used to bake was a bit too
much to bear.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.97
************************
Received on Wed Aug 15 2012 - 15:27:49 PDT

This archive was generated by hypermail 2.2.0 : Wed Aug 15 2012 - 16:08:16 PDT