RISKS-LIST: Risks-Forum Digest Wednesday 15 August 2012 Volume 26 : Issue 97 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.97.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Knight Capital software upgrade costs $440m (Martyn Thomas) Errant Trades Reveal a Risk Few Expected (NYT via Monty Solomon) Hand wringing over Knight Capital software bugs (Henry Baker with excerpts from Ellen Ullman's OpEd) DMV computer fails to make friends (Ellen Huet via Paul Saffo) NTT DoCoMo outage (Rodney Van Meter) Verizon 911 failures had multiple causes (David Lesher) JFK security is breached by man who swam ashore (Sean Peisert) Kaspersky Lab on Gauss, Flame, Stuxnet (PGN) Wikileaks reveals TrapWire, a government spy network that uses ordinary surveillance cameras (Annalee Newitz via Dave Farber's IP) Mat Honan hacked (Mat Honan via Marv Schaefer) Ensure Phone is Off Before Engaging in Crime (Mark Brader) Claims of medical patient info encrypted, held for ransom (Danny Burstein) Microsoft sorry over 'big boobs' software code (Martyn Thomas) RBS to pay out 125 million pounds (Martyn Thomas) Re: Where Did the Internet Really Come From? (Steve Crocker via Dave Farber) Re: Best Typo Ever Runs A-1 in the Los Angeles Times (Phil Holden) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 03 Aug 2012 10:25:10 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Knight Capital software upgrade costs $440m http://www.usatoday.com/money/economy/trade/story/2012-08-02/Knight-Capital-trading-glitch/56692822/1 A technical problem that briefly threw dozens of stocks into chaos Wednesday will cost Knight Capital Group $440 million, the trading firm said Thursday. Knight's stock plunged for a second day, erasing 70% of its value in two days. The company also said it is pursuing ways to raise money to fund the expense, raising questions about the firm's viability. ... "You cannot keep people from doing stupid things," Joyce said in an interview on Bloomberg Television. "That is what happens when you have a culture of risk." Since the glitch, Knight's stock has fallen to $2.86 from $10.33 on Tuesday. Knight takes orders from brokers like ETrade and TD Ameritrade <http://content.usatoday.com/topics/topic/TD+Ameritrade> and routes them to the exchanges where shares are traded. Knight Capital Group said the problem was triggered when it installed new trading software, which resulted in the company sending numerous erroneous orders in 140 stocks listed in the New York Stock Exchange Those orders were responsible for some sudden swings in stock prices and surging trading volume shortly after the market opened Wednesday. <http://content.usatoday.com/topics/topic/Organizations/Companies/Banking,+Financial,+Insurance,+Law/New+York+Stock+Exchange>. Wizzard Software shot above $14 after closing the night before at $3.50, according to FactSet. Abercrombie & Fitch jumped 9% within minutes, hitting $36.75 after closing the night before at $33.80. Harley-Davidson suddenly fell 12%, to $37.84 from $43.23. ... Knight Capital said Thursday the software has been removed and that its clients were not negatively affected. For investors, it was the latest breakdown in the increasingly complicated electronic systems that run stock trading. Those systems have been showing signs of strain as more traders and big investment firms use powerful computers to carry out trades in fractions of a second. The latest disruption came in May, when technical problems on the Nasdaq stock market marred Facebook's debut as a public company, preventing some investors from knowing if they'd bought shares or being able to sell them. The most visible and chaotic malfunction occurred in May 2010, when the Dow Jones industrial average dropped nearly 600 points in five minutes, an event dubbed the "flash crash." The problem at that time was also traced to technical glitches. ... "This software problem was an infrastructure problem," Thomas Joyce told Bloomberg TV. "It had nothing to do with our quantitative models and nothing to do with our market-making models. This was something that was separate and distinct from trading." ------------------------------ Date: Fri, 3 Aug 2012 00:25:13 -0400 From: Monty Solomon <monty_at_private> Subject: Errant Trades Reveal a Risk Few Expected (*The New York Times*) 1. Nathaniel Popper and Peter Eavis, *The New York Times*, 2 Aug 2012 http://dealbook.nytimes.com/2012/08/02/errant-trades-reveal-a-risk-few-expected/ Errant trades from the Knight Capital Group began hitting the New York Stock Exchange almost as soon as the opening bell rang on Wednesday. The trading firm Knight Capital recently rushed to develop a computer program so it could take advantage of a new Wall Street venue for trading stocks. But the firm ran up against its deadline and failed to fully work out the kinks in its system, according to people briefed on the matter. In its debut Wednesday, the software went awry, swamping the stock market with errant trades and putting Knight's future in jeopardy. The fiasco, the third stock trading debacle in the last five months, revived calls for bolder changes to a computer-driven market that has been hobbled by its own complexity and speed. Among the proposals that gained momentum were stringent testing of computer trading programs and a transaction tax that could reduce trading. ... 2. Jessica Silver-Greenberg and Ben Protess, *The New York Times*, 2 Aug 2012 Trying to Be Nimble, Knight Capital Stumbles http://dealbook.nytimes.com/2012/08/02/trying-to-be-nimble-knight-capital-stumbles/ Traders from the Knight Capital Group watched from the floor of the New York Stock Exchange as Knight's chief, Thomas Joyce, was interviewed on television. As the leader of one of the largest brokerage firms in the nation, Thomas M. Joyce has been an unapologetic advocate of electronic trading and one of the most vociferous critics of companies that struggled to keep up with the ever-changing stock market. Now, Mr. Joyce, a longtime trader who seized the reins of the Knight Capital Group in 2002, is fighting for his company's survival. In a bid to keep a grip on its customers, Knight pushed to introduce a new system that would position it competitively amid market changes that took effect on Wednesday, according to people briefed on the matter. Unlike rivals that hesitated, Knight Capital's presence on Day 1 would ensure bragging rights and extra profits. But in the rollout of the system that morning, Knight created a blizzard of erroneous orders to buy shares of major stocks. The orders caused wild swings that affected the shares of more than 100 companies, including Ford Motor, RadioShack and American Airlines. ... ------------------------------ Date: Sun, 12 Aug 2012 12:45:27 -0700 From: Henry Baker <hbaker1_at_private> Subject: Hand wringing over Knight Capital software bugs (with excerpts from Ellen Ullman's OpEd) We in the software community can always do better, but I'm not as upset by the Knight Capital problems as many people are. The system worked: Knight Capital wasn't too big to fail, and it was rescued by non-governmental action. Rather than the software community wringing its hands over the Knight Capital (see Ellen Ullman's *NYTimes* Op Ed, below), I think that software practises should be promulgated into other parts of society -- particularly the legal system. "Bugs" in the laws passed by Congress and state legislatures cost the country perhaps one Knight Capital's worth of loss every few minutes -- i.e., multi-hundreds of billions of dollars every year. If there is hand wringing to be done, it should be over these failures, not over the failure of Knight Capital. The software community learns humility very early, when our best-laid plans are destroyed by the cold logic of the computer. If we are lucky, the vast majority of our learning occurs very quickly, during early unit testing, so that relatively few bugs make it even to alpha testing. Lawyers, on the other hand, who probably got into law because they hated math and computers, have not had the computer as strict task-master to teach them the humility of following errant logic to its mostly bitter conclusions. As a result, they are the least likely people to be able to foresee the consequences of their follies. NASA has had its embarrassing public failures over the years, but its recent landing on Mars was spectacularly successful, given the complexity of the mission and its landing sequence. NASA seems to have learned over the years that everything must be tested, retested, and then tested again. The US FDA was caught flat-footed in the thalidomide scandal circa 1960, and has since tried to keep improperly tested drugs off the market--a goal in which it has largely succeeded. Recognizing that every drug has bad side-effects, the FDA requires that each drug be tested not only for minimizing harm, but also efficacy in treating whatever symptoms it proposes to relieve or mitigate. Perhaps Congress and state legislatures could utilize an "FDA" for proposed legislation; each proposed law would have to show that it would not harm society, but would also have to show through a properly-controlled double-blind experiment that its implementation would actually help society. After all, these same legislatures require this type of "environmental impact statement" on every _private_ development; it would be only fitting to require the same for _all_ proposed legislation by Congress and state legislatures. While this hurdle would no doubt dramatically reduce the amount of legislation passed, it would still have a positive result, due to the elimination of the vast majority of legislative "patches" that are required to fix the previous legislative "patches". The "open source" software community has shown the wisdom of "many hundreds or thousands of eyes" looking over the same code; perhaps all legislation requires a minimum of 3-6 months of intense public scrutiny prior to being able to come to a vote which will saddle 300 million people with additional regulatory burdens and tax bills. U.S. Supreme Court Justice Louis Brandeis talked of the states as "laboratories of democracy", in which controlled experiments could be performed prior to foisting these laws upon all of the states. Congress and state legislatures would be well advised to perform far more of these small experiments before forcing all of us to endure "legal system 2.0", when we'd be better off waiting for "legal system 2.23" after most of the bugs had been worked out. Errant Code? It's Not Just a Bug Ellen Ullman, *The New York Times*, Op-Ed Contributor, 8 Aug 2012 http://www.nytimes.com/2012/08/09/opinion/after-knight-capital-new-code-for-trades.html As a former software engineer, I laughed when I read what the Securities and Exchange Commission might be considering in response to the debacle of Knight Capital's runaway computerized stock trades: forcing companies to fully test their computer systems before deploying coding changes. That policy may sound sensible, but if you know anything about computers [and have read RISKS, says PGN, who has PGN-ed the Op-Ed piece, but urges you to dig it up]], it is funny on several accounts. First, it is impossible to fully test any computer system. [...] Next, there is no such thing as a body of code without bugs. [...] So now consider that tangle of modules. The bug in one meets the bug in another, and that one in another ... and the possibility of system failure multiplies exponentially. Another absurd thing is trying to define a coding change worth fully testing. [...] And I haven't even mentioned the errors in algorithms devised by all the Ph.D. mathematicians hired to work at Wall Street firms. Written by geniuses they may be, but even Einstein sometimes got things wrong. The best solution would be to bring back the `market makers' of old, the people who stood between the bid and the asking price and were responsible for making the trade work. Yet I cannot imagine they will return. Technology does not run backward. Once a technical capability is out there, it is out there for good. The only remaining answer is to go forward. Just as offensive speech is remedied by more speech, the remedy for errant code is more code. [...] It is indeed laughable to think that programmers, alone, can solve problems like those at Knight Capital. The credit card model informs us: we need code and attentive human beings. But the indispensable component is the protection induced by the rule of law. Credit card issuers get stuck with the bill. If Knight Capital and other firms were forced to pay back everyone -- everyone -- who got caught in their downdraft, just imagine what brilliant systems the companies would devise. Ellen Ullman is the author, most recently, of the novel, By Blood. A version of this op-ed appeared in print on 9 Aug 2012, on page A23 of the New York edition with the headline: Errant Code? It's Not Just a Bug. [It is well worth reading in its entirety. PGN] ------------------------------ Date: Tue, 14 Aug 2012 13:28:39 -0700 From: Paul Saffo <paul_at_private> Subject: DMV computer fails to make friends (Ellen Huet) http://www.sfgate.com/bayarea/article/DMV-computer-fails-to-make-friends-3787457.php Ellen Huet, *San Francisco Chronicle, 14 Aug 2012 (ehuet_at_private, Twitter: @ellenhuet) Computer systems at all California Department of Motor Vehicles offices broke down for more than 4 hours on the morning of 14 Aug 2012, beginning before 7:30am, which prompted field offices to turn away or reschedule appointments. The offices had phone service but lost access to the Internet and to DMV's internal networks. Customers who had Internet access could still use the DMV website to process certain requests, and driver road tests were still being conducted. The crash occurred because AT&T made some changes overnight to routers at several state agencies, including the Business, Transportation and Housing Agency, the umbrella organization which includes the DMV. In addition, the DMV also experienced a failure with its own internal agency router that relies on Verizon. http://www.sfgate.com/bayarea/article/DMV-computer-fails-to-make-friends-3787457.php#ixzz23YR2tY8q [Also noted by Rob McCool. PGN] ------------------------------ Date: Fri, 3 Aug 2012 08:42:47 +0900 From: Rodney Van Meter <rdv_at_private> Subject: NTT DoCoMo outage I almost missed getting to have dinner with my wife on our anniversary because NTT DoCoMo had a phone outage across much of Japan for an hour and forty minutes just as I was leaving campus, trying to catch her to arrange dinner. DoCoMo is blaming some sort of management server for mobile number portability (allowing you to change from DoCoMo to Softbank and keep the same number, which I think about doing more and more often). The outage began at 18:00 local time on 2 Aug 2012, continued until 19:42. My own experience, starting around 19:00, was that voice and SMS did not work, but that packet data (HSDPA or straight 3G) did. I could surf the web or send and receive email, from my DoCoMo mail account to my Gmail account (which I also read on my phone). The DoCoMo mail (called sp-mode) I sent to my wife, however, appears never to have arrived. (DoCoMo's mail system (at least as implemented on Android) is some complex thing that uses part of the circuit side (SMS, I believe, though I'm not certain) for signaling the availability of a message on the server, then a packet side connection to retrieve the message. On some software releases, you can receive notification of email but not the email itself when your phone is connected to a WLAN; my guess is that they have their mail servers firewalled from the Internet at large.) My info about blaming the MNP management server came from the 11pm NHK newsbreak. DoCoMo's website contains a no-details acknowledgement of the outage, dated 8:30pm (twelve hours ago), nothing since. So far, even that's only available in Japanese. http://www.nttdocomo.co.jp/info/network/kanto/pages/120802_3_d.html Rodney Van Meter, associate professor, Faculty of Environment andrdv Information Studies, Keio University, Japan http://web.sfc.keio.ac.jp/~rdv/ ------------------------------ Date: Tue, 14 Aug 2012 11:46:42 -0400 From: David <wb8foz_at_private> Subject: Verizon 911 failures had multiple causes During our recent derecho, Verizon's 911 service failed over large areas of Northern Virgina. A new report details the event: "Verizon officials did not know that 911 emergency service was out in Fairfax County during June's derecho storm until the county called to tell them...." "Maureen Davis, vice president of Verizon's network operations for the Mid-Atlantic region, said in an interview that the company also made a mistake in treating the problem as a service complaint rather than the large-scale outage that it was. ..... as the problems escalated at two offices -- Verizon's central office in Arlington and another in Fairfax that route calls for multiple 911 centers, Davis said." "...batteries carried the system for about six hours at each site. Backup generators should then have shouldered the load. But the generators failed, Verizon said in the report, despite having been tested three days earlier." {Load exceeded generator capacity} "...tests did not check whether equipment that automatically signals a generator to work during a blackout was functioning properly, Davis said. The equipment failed during the storm." This is a throwback to the 17 Sept 1991 ATT outage in NYC, where there was no one to respond to the power failure alarm. (RISKS-12.43) <http://catless.ncl.ac.uk/Risks/12.43.html#subj2.2> <http://www.washingtonpost.com/local/crime/verizon-details-errors-in-derecho-calls-response-to-911-outages-insufficient/2012/08/13/e2589596-e57f-11e1-8741-940e3f6dbf48_print.html> ------------------------------ Date: Mon, 13 Aug 2012 20:52:56 -0700 From: Sean Peisert <peisert_at_private> Subject: JFK security is breached by man who swam ashore I think you would find this some combination of amusing and appalling. http://www.sfgate.com/business/article/JFK-security-is-breached-by-man-who-swam-ashore-3783708.php Authorities said the trouble began Friday evening when 31-year-old Daniel Casillo's jet ski ran out of fuel in Jamaica Bay. Casillo swam toward the bright lights of Kennedy's runway 4L, which juts out into the bay, then climbed an 8-foot fence that is part of the airport's state-of-the-art Perimeter Intrusion Detection System, authorities said. Soaking wet, wearing a bright yellow life jacket, Casillo made his way across two intersecting runways -- an estimated distance of nearly two miles -- before he was spotted on a terminal ramp by an airline employee, authorities said. According to the police report, Casillo told an officer: "I needed help!" The intrusion-detection system, manufactured by defense contractor Raytheon Co., should have set off a series of warnings, said Bobby Egbert, spokesman for the Port Authority police officers union. "This system is made specifically for those types of threats -- water-borne threats," Egbert said. "It did not detect him climbing over a fence. It did not detect him crossing two active runways." http://www.nbcnewyork.com/news/local/Security-Breach-JFK-Jetski-Jamaica-Bay-Airline-165959376.html ------------------------------ Date: Thu, 9 Aug 2012 10:30:55 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Kaspersky Lab on Gauss, Flame, Stuxnet Complex Cyber-Threat Designed to Monitor Online Banking Accounts Is this connected with Flame and Stuxnet, therefore a US operation? This article implies that. Kaspersky Lab Discovers Gauss, A New Complex Cyber-Threat Designed to Monitor Online Banking Accounts, *BusinessWire*, 9 Aug 2012 http://eon.businesswire.com/news/eon/20120809005743/en/Kaspersky-Lab/Kaspersky/Gauss Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons. Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunication Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace. ITU, with expertise provided by Kaspersky Lab, is taking important steps to strengthen global cyber-security by actively collaborating with all relevant stakeholders such as governments, the private sector, international organizations and civil society, in addition to its key partners within the ITU-IMPACT initiative. Kaspersky Lab's experts discovered Gauss by identifying commonalities the malicious program share with Flame. These include similar architectural platforms, module structures, code bases and means of communication with command& control (C&C) servers. Quick facts: * Analysis indicates that Gauss began operations in the September 2011 timeframe. * It was first discovered in June 2012, resulting from the knowledge gained by the in-depth analysis and research conducted on the Flame malware. * This discovery was made possible due to strong resemblances and correlations between Flame and Gauss. * The Gauss C&C infrastructure was shutdown in July 2012 shortly after its discovery. Currently the malware is in a dormant state, waiting for its C&C servers to become active. * Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab's cloud-based security system, with the estimated total number of victims of Gauss probably being in the tens of thousands. This number is lower compared to the case of Stuxnet but it's significantly higher than the number of attacks in Flame and Duqu. * Gauss steals detailed information about infected PCs including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods. * Analysis of Gauss shows it was designed to steal data from several Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal. The new malware was discovered by Kaspersky Lab's experts in June 2012. Its main module was named by the unknown creators after the German mathematician Johann Carl Friedrich Gauss. Other components bear the names of famous mathematicians as well, including Joseph-Louis Lagrange and Kurt Gödel. The investigation revealed that the first incidents with Gauss date back as early as September 2011. In July 2012 the command and control servers of Gauss stopped functioning. Multiple modules of Gauss serve the purpose of collecting information from browsers, which include the history of visited websites and passwords. Detailed data on the infected machine is also sent to the attackers, including specifics of network interfaces, the computer's drives and BIOS information. The Gauss module is also capable of stealing data from the clients of several Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. Another key feature of Gauss is the ability to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent. Gauss is capable of disinfecting the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. Another activity of the Trojan is the installation of a special font called Palida Narrow, and the purpose of this action is still unknown. While Gauss is similar to Flame in design, the geography of infections is noticeably different. The highest number of computers hit by Flame was recorded in Iran, while the majority of Gauss victims were located in Lebanon. The number of infections is also different. Based on telemetry reported from the Kaspersky Security Network (KSN), Gauss infected approximately 2,500 machines. In comparison, Flame was significantly lower, infecting closer to 700 machines. Although the exact method used to infect the computers is not yet known, it is clear that Gauss propagates in a different manner to Flame or Duqu; however, similar to the two previous cyber-espionage weapons, Gauss's spreading mechanisms are conducted in a controlled fashion, which emphasize stealth and secrecy for the operation. Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: ``Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program. Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different to Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.'' At the present time, the Gauss Trojan (Trojan-Spy.Win32.Gauss) is successfully detected, blocked and remediated by Kaspersky Lab's products. The company's experts have published in-depth analysis of the malware at Securelist.com: http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution A Gauss FAQ containing the essential information about the threat is also available: http://www.securelist.com/en/blog?weblogid=208193767 Stay tuned for updates by following our Facebook page: https://www.facebook.com/Kaspersky?ref=ts Kaspersky Lab: Tim Whitman, 781-503-7804 timothy.whitman_at_private Joel Harding, Information Operations Holistic Organizer (IOHO) http://toinformistoinfluence.com (703) 362-8582 ------------------------------ Date: August 12, 2012 9:27:35 PM EDT From: Labmanager <labmanager_at_private> Subject: Wikileaks reveals TrapWire, a government spy network that uses ordinary surveillance cameras (Annalee Newitz via Dave Farber's IP) http://io9.com/5933966/wikileaks-reveals-trapwire-a-government-spy-network-that-uses-ordinary-surveillance-cameras It's just like an episode of Person of Interest. According to documents leaked on Wikileaks, the government has created a piece of technology, called TrapWire, that siphons data from surveillance cameras in stores, casinos, and other businesses around the country. Apparently agents can use facial recognition software to analyze this footage for, well, people of interest. Are we living in a total surveillance state without even realizing it? Over at Business Insider, David Seaman reports on the contents of the documents at Wikileaks: Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It's part of a program called TrapWire and it's the brainchild of the Abraxas, a Northern Virginia company staffed with elite from America's intelligence community. The employee roster at Arbaxas reads like a who's who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation's ties are assumed to go deeper than even documented. The details on Abraxas and, to an even greater extent TrapWire, are scarce, however, and not without reason. For a program touted as a tool to thwart terrorism and monitor activity meant to be under wraps, its understandable that Abraxas would want the program's public presence to be relatively limited. But thanks to last year's hack of the Strategic Forecasting intelligence agency, or Stratfor, all of that is quickly changing." So: those spooky new "circular" dark globe cameras installed in your neighborhood park, town, or city-they aren't just passively monitoring. They're plugged into Trapwire and they are potentially monitoring every single person via facial recognition. Currently it's pretty hard to reach Wikileaks to read the papers yourself, because the site has been crushed under an onslaught of DDOS attacks, which, ... how convenient is that, conspiracy theorists? But you can still see a description of Abraxas' Tripwire technology here, at the USPTO. ------------------------------ Date: Mon, 13 Aug 2012 15:01:24 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Mat Honan hacked (Matt Honan's Tumblr via Marv Schaefer, with apologies to Lamont Cranston!) It appears that Apple's misguided security engineers have finally gained full focus spotlight celebritydom (or is it celebritydumb?). "Wired's Mat Honan got hacked hard over the weekend, and the attacker wiped out his iPhone, iPad, and Mac. " The full article is of interest, but here's the opening.... http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard /*Yes, I was hacked. Hard.* So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo's Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too. Here's what happened: At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn't use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it's not. Especially given that I've been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices. The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed. At 5:00 PM, they remote wiped my iPhone At 5:01 PM, they remote wiped my iPad At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo's they were then able to gain entry to that as well. [Mat Honan's written an updated column explaining the details of the hacking, how it was done, and how his naiveté about security helped lead to his being so thoroughly hacked. See http://bit.ly/PB2mMO] ------------------------------ Date: Mon, 13 Aug 2012 17:13:26 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Ensure Phone is Off Before Engaging in Crime According to police in Scranton, Pennsylvania, the arrest of a suspect following a drug deal was facilitated by the fact that he had accidentally dialed 911, leading to the entire conversation being recorded. http://news.cnet.com/8301-17852_3-57491650-71/any Mark Brader, Toronto, msb_at_private ------------------------------ Date: Fri, 10 Aug 2012 19:45:45 -0400 (EDT) From: Danny Burstein <dannyb_at_private> Subject: Claims of medical patient info encrypted, held for ransom Surgeons of Lake County [Illinois], LLC Server Breach Incident Triggers Investigation as to Whether Patient Information May Have Been Compromised The Surgeons of Lake County, LLC ("Surgeons") announced today that an unauthorized user had gained access to - and encrypted - their server in an attempt to force payment from Surgeons in exchange for the password needed to regain access to the server. Surgeons learned of the incident on June 25, 2012, when it discovered that an unauthorized user had gained remote access to a server containing Surgeons' corporate email and electronic medical records. The unauthorized user posted a message on the server stating that the contents of the server had been encrypted and could only be accessed with a password that would only be supplied if Surgeons made the demanded payment. Upon receiving the demand, the server was turned off, and has not been turned back on. (rest of story details the usual followups) http://enewschannels.com/2012/07/20/enc15049_132901.php ------------------------------ Date: Sat, 04 Aug 2012 16:07:22 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Microsoft sorry over 'big boobs' software code Not all risks are executable. The string "0xB16B00B5", a hexadecimal value, was found in software that allows Microsoft programs to work with Linux, the open source operating system. It prompted widespread criticism of Microsoft and debate over whether a "boys club" culture deters women from entering the software industry. Microsoft quickly apologised for the inclusion of the term and updated the code to remove it. http://www.telegraph.co.uk/technology/microsoft/9415234/Microsoft-sorry-over-big-boobs-software-code.html ------------------------------ Date: Fri, 03 Aug 2012 10:27:06 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: RBS to pay out 125 million pounds (Re: RISKS-26.91,92) Royal Bank of Scotland (RBS) has put aside Ł125m to pay compensation to customers affected by the recent breakdown in its computer systems. Account holders at RBS and its NatWest and Ulster Bank subsidiaries faced disruption for up to two weeks in June after a software upgrade at the bank. http://www.bbc.co.uk/news/business-19107537 ------------------------------ Date: Sat, 4 Aug 2012 14:17:12 -0700 From: Dave Farber <dave_at_private> Subject: Re: Where Did the Internet Really Come From? (Steve Crocker) [Excellent item. Very well worth reading. PGN] http://techpresident.com/news/22670/where-did-internet-really-come ------------------------------ Date: Sun, 5 Aug 2012 21:24:56 +0100 From: Phil Holden <eeyore_at_private> Subject: Re: Best Typo Ever Runs A-1 in the Los Angeles Times (Tessa Stuart) I thought the typo in RISKS-26.92 was funnier: Re: A320 Lost 2 of 3 Hydraulic Systems on takeoff > Professional opinion also included the possibility that the passenger > nausea was only to be expected in flying a tight holding pattern over hot > dessert for three hours, perhaps with yaw stabilisers off-line due to the > failure. Perhaps the passengers were hungry and the sight of syrup sponge or chocolate pudding or maybe apple pie like Mom used to bake was a bit too much to bear. ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.97 ************************Received on Wed Aug 15 2012 - 15:27:49 PDT
This archive was generated by hypermail 2.2.0 : Wed Aug 15 2012 - 16:08:16 PDT