RISKS-LIST: Risks-Forum Digest Saturday 29 September 2012 Volume 27 : Issue 03 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.03.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [I was traveling. Sorry for the long gap between issues. PGN] Fake sign causes real outage (John Carr) Healthwatch: RCN subscribers in greater NYC area (Danny Burstein) GAO recommendations on medical device security (Kevin Fu) The disappearing web: Information decay is eating away our history (Gigaom via NNSquad) Double Payments Bedevil Veterans' Pension System (James Dao via Monty Solomon) Joint Typhoon Warning Center blocked for non-US users (jidanni) New Jersey bans smiling in license photos(Mark Thorson) "Major banks hit with biggest cyberattacks in history" (David Goldman via Gene Wirchenko) Cyber Attacks on Banks Expose U.S. Infrastructure Vulnerability (Debra L Tekavec) Using a rental computer? There's a spy-app with that ... (Danny Burstein) Rented Computers Captured Customers Having Sex, F.T.C. Says (Matthew Kruk) The Anti-Cloud? (Mark Thorson) Remote wipe attack not limited to Samsung phones! (Bob Frankston)) Hackers Breached Adobe Server in Order to Sign Their Malware (Kim Zetter via Monty Solomon) "Adobe confirms Windows 8 users vulnerable to active Flash exploits" (Gregg Keizer via Gene Wirchenko) Two men admit to $10 million hacking spree on Subway sandwich shops Millions of Virgin Mobile accounts at risk of password attacks (Dan Goodin via Monty Solomon) Oracle Database suffers from "stealth password cracking vulnerability" (Lauren Weinstein) Hidden web code means hackers 'can wipe Samsung Galaxy S3' (Bob Frankston) Security experts not understanding security risks (Ars technica via Jeremy Epstein) "Do Not Call List doesn't apply for home business lines: CRTC" (Brian Jackson via Gene Wirchenko) Your Ballot is Now Available (Wendy M. Grossman) No Fundamental Right to a Secret Ballot (Jonathan S. Shapiro) "One poor security choice results in $250,000 Bitcoin heist" (Gene Wirchenko) SPAM with Calendar invites risks... (George Michaelson) Authentication monoculture (Dag-Erling Sm?rgrav) Data breach at IEEE.org: 100k plaintext passwords (Jeffrey Walton) Risks of linking information from Facebook leads to bigamy charges (Thomas Dzubin) Facebook wants you to snitch on your friends not using their real names (Paul Bernal via Lauren Weinstein) "Facebook reveals its evil plans" (Robert X. Cringely via Gene Wirchenko) A new nasty virus and an excellent tool to counter it and others (Paul Robinson) 20% of new PCs in China come with malware pre-installed (Wolfgang Gruener via Jim Reisert) Hidden web code means hackers 'can wipe Samsung Galaxy S3' (Lauren Weinstein) Leaked Apple IDs ... (Gene Wirchenko) Re: When GPS Confuses, You May Be to Blame (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 18 Sep 2012 08:46:55 -0400 From: John Carr <jfc_at_private> Subject: Fake sign causes real outage "High voltage" signs next to Verizon cable conduits were a bluff to keep homeless people away. They did not work. Instead they kept firefighters from extinguishing a mattress fire. Regional phone and Internet service went out as the cables melted. <http://www.eagletribune.com/latestnews/x550073983/Something-that-valuable-has-to-be-secured> ------------------------------ Date: Thu, 6 Sep 2012 18:34:07 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Healthwatch: RCN subscribers in greater NYC area RCN was still out an hour ago (last time I was able to check). They're now talking about a midnight restoration. That would be over thirty hours. So this is tens of thousands of customers losing their access. Oh, and includes plenty of servers, too. Maybe hundreds of thousands.. A "fiber cut" has crippled RCN's service in the greater NYC area since Weds. evening. This kills their phone, tv, and Internet users... One of their reps posted [a]: They are still working on the Fiber cut at this time, so services are still affected. We have crews in the field working diligently to restore services. Jason Nealis, V.P. Engineering and Operations ------------------------------ Date: Thu, 27 Sep 2012 16:23:01 -0400 From: Kevin Fu <kevinfu_at_private> Subject: GAO recommendations on medical device security Today GAO issued a set of recommendations to improve the information security of certain medical devices. http://www.gao.gov/assets/650/647767.pdf Three lawmakers who requested the GAO review issued the following responses: http://markey.house.gov/sites/markey.house.gov/files/GAO_MedicalImplants.pdf http://markey.house.gov/press-release/markey-edwards-eshoo-hacking-threats-implantable-medical-devices-call-improved-fda Kevin Fu, Associate Professor, UMass Amherst Computer Science http://spqr.cs.umass.edu/ N.B.: My lab moves to Michigan on January 1. ------------------------------ Date: Sun, 23 Sep 2012 09:54:05 -0700 From: Lauren Weinstein <lauren_at_private> Subject: The disappearing web: Information decay is eating away our history "In fact, the researchers said that within a year of these events, an average of 11 percent of the material that was linked to had disappeared completely (and another 20 percent had been archived), and after two-and-a-half years, close to 30 percent had been lost altogether and 41 percent had been archived. Based on this rate of information decay, the authors predicted that more than 10 percent of the information about a major news event will likely be gone within a year, and the remainder will continue to vanish at the rate of .02 percent per day." http://j.mp/SgjSvu (Gigaom via NNSquad) ------------------------------ Date: Thu, 27 Sep 2012 08:31:00 -0400 From: Monty Solomon <monty_at_private> Subject: Double Payments Bedevil Veterans' Pension System (James Dao) James Dao, 22 Sep 2012 PHILADELPHIA - In July 2010, a Department of Veterans Affairs employee named Kristen Ruell was updating a benefit claim when she noticed something odd. What should have been an increase of about $2,000 in a monthly payment to the widow of a veteran showed up on her computer screen as $21,000. Puzzled, she set the claim aside and began digging into computer files for an answer. What she found surprised and worried her: the department's database contained duplicate records for the widow, and the system was trying to pay her twice. It was also recommending a retroactive payment dating back months - though the widow had already been paid for that period. After seeing the same problem in other claims, Ms. Ruell, who works on a quality review team at a veterans pension management center in Philadelphia, says she raised red flags with her bosses. If she, one of scores of payment authorizers nationwide, was just noticing the duplicate payments, was it not likely that the department had inadvertently overpaid many other people for years? Two years later, that concern has not been resolved, Ms. Ruell and several other pension management workers say. ... http://www.nytimes.com/2012/09/23/us/duplicate-payments-bedevil-va-pension-system-workers-say.html ------------------------------ Date: Mon, 10 Sep 2012 16:48:13 +0800 From: jidanni_at_private Subject: Joint Typhoon Warning Center blocked for non-US users The Joint Typhoon Warning Center (JTWC) is the U.S. Department of Defense agency responsible for issuing tropical cyclone warnings for the Pacific and Indian Oceans. It is blocked for non US users, for National Security Reasons. What will they think of next. [...] ------------------------------ Date: Mon, 24 Sep 2012 08:55:28 -0700 From: Mark Thorson <eee_at_private> Subject: New Jersey bans smiling Since January, New Jersey banned smiling for driver's license photographs because it can't be handled by new facial recognition software. http://articles.philly.com/2012-09-21/news/33978387_1_smile-motor-vehicle-commission-facial-expressions What good is facial recognition software that can be defeated by a smile? If I see someone with a forced smile at an airport, does that meant they're likely to be a terrorist? ------------------------------ Date: Fri, 28 Sep 2012 11:00:51 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Major banks hit with biggest cyberattacks in history" David Goldman, @CNNMoneyTech, 28 Sep 2012, The Cybercrime Economy http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html ------------------------------ Date: Sep 28, 2012 6:32 PM From: "Debra L Tekavec" <dtekavec_at_private> Subject: Cyber Attacks on Banks Expose U.S. Infrastructure Vulnerability [From Dave Farber's IP] Even if you think you know this stuff cold, Bloomberg, 27 Sep 2012, http://www.bgov.com/news_item/mqZezAeKXUSylBI8GncG_Q Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. and Wells Fargo & Co., have breached some of the nation's most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults. The attack, which a U.S. official yesterday said was waged by a still-unidentified group outside the country, flooded bank websites with traffic, rendering them unavailable to consumers and disrupting transactions for hours at a time. Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn't authorized to speak publicly. The extent of the damage may not be known for weeks or months, said the official, who has access to classified information. ... ``The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against,'' Rodney Joffe, senior vice president at Sterling, Virginia-based security firm Neustar Inc. said in a phone interview. While the group is using a method known as distributed denial-of-service, or DDoS, to overwhelm financial-industry websites with traffic from hijacked computers, the attacks have taken control of commercial servers that have much more power, according to the specialists. ``The notable thing is the volume and the scale of the traffic that's been directed at these sites, and that's very rare,'' Dmitri Alperovitch, co-founder and chief technology officer of Palo Alto, California-based security firm CrowdStrike Inc.,said in a phone interview. ------------------------------ Date: Wed, 26 Sep 2012 22:36:40 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Using a rental computer? There's a spy-app with that ... [FTC press release] FTC Halts Computer Spying Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers' Locations Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. ... user names and passwords for e-mail accounts, social media websites, and financial institutions; Social Security numbers; medical records; private e-mails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home, according to the FTC. rest: http://www.ftc.gov/opa/2012/09/designware.shtm ------------------------------ Date: Thu, 27 Sep 2012 21:06:26 -0600 From: "Matthew Kruk" <mkrukg_at_private> Subject: Rented Computers Captured Customers Having Sex, F.T.C. Says (Nick Bilton) http://bits.blogs.nytimes.com/2012/09/26/rented-computers-captured-customers-having-sex-f-t-c-says/?nl=todaysheadlines&emc=tha26_20120927 Nick Bilton, *The New York Times*, Sep 26 2012 Rented Computers Captured Customers Having Sex, F.T.C. Says If you rented a computer, you probably should not have been blogging without your shirt on. On Tuesday, seven computer rental companies agreed to a settlement with the federal government after it was discovered that they were unlawfully capturing photos of customers by using illicit software that controlled a computer's webcam. ... The webcam software, called PC Rental Agent, had been installed on approximately 420,000 computers worldwide, according to the F.T.C., and as of August 2011 it was being used by approximately 1,617 rent-to-own stores in the United States, Canada and Australia. [Article Copyright 2012 *The New York Times*, Excerpted for RISKS. PGN] ------------------------------ Date: Sat, 15 Sep 2012 10:38:59 -0700 From: Mark Thorson <eee_at_private> Subject: The Anti-Cloud? Symform is offering cloud storage services on the front end, but instead of operating their own cloud on the back end, they store data in unused space on other customer's drives. http://siliconangle.com/blog/2012/09/14/symform-brings-bartering-to-the-cloud/ It seems to me this is a step beyond traditional cloud computing (if something as new as cloud computing can be said to have anything "traditional"). Not only is my data trusted to another party, they in turn are trusting it to unknown (to me) third parties. I can see the argument that encryption and redundancy might make this as secure and reliable as any other cloud services, and perhaps even more so because there's no datacenter to flood or catch fire. But it still seems weird to me, like going to the hospital and finding out my surgery will be performed remotely by a doctor in Bangladesh. ------------------------------ Date: Wed, 26 Sep 2012 15:14:14 -0400 From: "Bob Frankston" <Bob19-0501_at_private> Subject: Remote wipe attack not limited to Samsung phones! http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer The article points to a web page which uses tel:*%2306%23 to display the IME number! Just click on the tel: URL in this message on affected phones. Put that through your firewall and see how futile primitive security is. ------------------------------ Date: Thu, 27 Sep 2012 22:11:02 -0400 From: Monty Solomon <monty_at_private> Subject: Hackers Breached Adobe Server in Order to Sign Their Malware (Kim Zetter) Kim Zetter, *WiReD*, 27 Sep 2012 The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe. Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability get code approved from the company's code-signing system. Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post. ... http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/ Inappropriate Use of Adobe Code Signing Certificate http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html ------------------------------ Date: Tue, 11 Sep 2012 14:23:17 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Adobe confirms Windows 8 users vulnerable to active Flash exploits" (Gregg Keizer) Gregg Keizer, *Computerworld*, 10 Sep 2012 Baked-in Flash Player in Windows 8's IE10 won't be updated until late October, says Microsoft http://www.infoworld.com/d/security/adobe-confirms-windows-8-users-vulnerable-active-flash-exploits-201941 ------------------------------ Date: Wed, 19 Sep 2012 00:04:14 -0400 From: Monty Solomon <monty_at_private> Subject: Two men admit to $10 million hacking spree on Subway sandwich shops (Dan Goodin) Dan Goodin, Ars Technica, 17 Sep 2012 The Romanians admitted their role in ring that compromised some 146,000 cards. Two Romanian men have admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said. http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/ ------------------------------ Date: Wed, 19 Sep 2012 00:04:14 -0400 From: Monty Solomon <monty_at_private> Subject: Millions of Virgin Mobile accounts at risk of password attacks A customer who cracked his password shows just how easy account takeovers are. Dan Goodin, Ars Technica, 18 Sep 2012 http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/ ------------------------------ Date: Thu, 20 Sep 2012 15:48:42 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Oracle Database suffers from "stealth password cracking vulnerability" "A weakness in an Oracle login system-used in the company's databases which grant access to sensitive information-makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned." http://j.mp/PMr1Q3 (ars technica via NNSquad) [See also Oracle database flaw deemed serious, could expose data, noted by Gene Wirchenko. PGN] http://www.infoworld.com/d/security/oracle-database-flaw-deemed-serious-could-expose-data-203001 ------------------------------ Date: Tue, 25 Sep 2012 11:09:00 -0400 From: "Bob Frankston" <Bob19-0501_at_private> Subject: Hidden web code means hackers 'can wipe Samsung Galaxy S3' - Telegraph http://www.telegraph.co.uk/technology/samsung/9565395/Hidden-web-code-means-hackers-can-wipe-Samsung-Galaxy-S3.html Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered. ------------------------------ Date: Tue, 25 Sep 2012 09:05:10 -0400 From: Jeremy Epstein <jeremy.j.epstein_at_private> Subject: Security experts not understanding security risks http://arstechnica.com/security/2012/09/secret-microsoft-policy-limited-hotmail-passwords-to-16-characters/ Ars Technica reports that Costin Raiu from Kaspersky Lab noticed that Hotmail no longer accepts passwords longer than 16 characters, and quotes him as saying "To pull off this trick [of allowing login with only the first 16 characters of the password] with older passwords, Microsoft has two choices. [Either] store full plaintext passwords in their [database]; compare the first 16 [characters] only [or] Calculate the hash only on the first 16; ignore the rest." He then goes on to comment that he isn't sure which option is worse. The article then goes on to note that Hotmail's limit is shorter than other services, and quotes a Microsoft spokesperson as saying that the rule has always been there, and silently enforced - only now it gives a message if you try to type more than 16 characters. Microsoft also noted that length isn't the key thing, it's uniqueness. Further, the Microsoft spokesperson notes that "we've found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites -- none of which are helped by very long passwords." Of all people, a technical expert like Raiu should understand this last point - if he's relying on Hotmail to protect his information by virtue of a long password, he's putting his faith in the wrong place. Even if he's protected against client-side threats suggested by Microsoft, there's still attacks against the Hotmail servers, not to mention insider attacks. Many years ago, Sami Saydjari used the analogy of security as a picket fence, where security techniques can raise & lower pickets (or create additional fences to be scaled). 16 character passwords are already a reasonably high picket, when compared to the other pickets in our security infrastructure. As security experts, we have a moral obligation to raise the low pickets, and not spend our time complaining about the high pickets, especially in ways that are likely to unreasonably stoke public fears about the wrong problems. ------------------------------ Date: Mon, 10 Sep 2012 10:01:24 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Do Not Call List doesn't apply for home business lines: CRTC" (Brian Jackson) Brian Jackson, *IT Business*, 7 Sep 2012 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68759 In a decision made today, the CRTC says that a home phone line associated with a business can receive telemarketing calls even if it's on the DNCL and the calls are for consumer services. ------------------------------ Date: Sat, 22 Sep 2012 12:48:41 +0100 From: "Wendy M. Grossman" <wendyg_at_private> Subject: Fwd: Your Ballot is Now Available The most dangerous spam... I got two different variants of this (appended below) about half an hour apart last night, both mentioning NY state (which is the state I vote from), and had to think for a minute before saying, no, spam. I don't *think* it's a genuine effort to game the election by deterring voters like the more traditional tactics of phone-calling and leaflets (advertising, for example, that Democrats vote on Monday and Republicans on Tuesday or vice-versa, or some other misinformation that leads a whole class of voters to disqualify themselves). I think it's just ordinary, but very clever and very dangerous, spam. I sent a copy of the earlier message to Rebecca Mercuri as a curiosity, and she took the trouble to dig through the pages at the link given; she notes they ask for a *ton* of information - driver's license number, SSN, etc. - but also that the quality of the spam breaks down with errors such as mentioning Alabama on the NY State pages. I am in fact an overseas voter from NY state. The giveaways are: - overseas voters do not deal with the NY State Board of Elections but with the Board of Elections in the last county they lived in. - I have always been sent paper registration forms, primary ballots, and election ballots. I've had no information that the BoE I deal with is changing that. - There is nothing on my county's BoE Web site to indicate that they are shifting to electronic ballots for overseas voters. - I don't recall ever having given my BoE my e-mail address. If I ever do, it seems clear that it should be one that is unique, used for no other purpose, and not published. Nonetheless, this is a very cleverly timed spam that could easily lead some people to panic. I'd like it publicized as widely as possible. wg - ------- Original Message -------- Subject: Electronic Ballot Access for Military/Overseas Voters Date: Sat, 22 Sep 2012 02:23:27 +0100 From: NYsupport_at_private To: <my correct e-mail address> Dear Voter, An electronic ballot has been made available to you for the GE 11/6/12 (Federal) by your local County Board of Elections. Please access www.secureballotusa.com/NY to download your ballot. Due to recent upgrades, all voters will need to go through the "First Time Access" process on the site in order to gain access to the electronic ballot delivery system. - - - - - Important information for members of the Uniformed Services or Merchant Marine on active duty, their spouses and/or dependents: Please be aware that this is the first of two ballots you will be given access to. This ballot will list only Federal contests (President/Vice President, U.S. Senate and Congressional offices). The second ballot, to be made available the first week in October, will list State contests for Supreme Court Justice, State Senate, State Assembly and any local contests (county/town/village). More detailed information on this has been included inside the downloadable file containing your ballot. - ------- Original Message -------- Subject: Your Ballot is Now Available Date: 22 Sep 2012 00:07:11 -0400 From: NYS Board of Elections <Move_at_private> Reply-To: MOVE_at_private To: <my correct e-mail address> Dear Voter, An electronic ballot has been made available to you for the November 6, 2012 General Election. Please access https://www.secureballotusa.com/NY to download your ballot. Due to recent upgrades, all voters will need to go through the "First Time Access" process on the site in order to gain access to the electronic ballot delivery system. If you have any questions or experience any problems, please e-mail NYsupport_at_private <mailto:NYsupport_at_private> or visit the NYS Board of Elections’ website at http://www.elections.ny.gov for additional information. /*Important information for members of the Uniformed Services or Merchant Marine on active duty, their spouses and/or dependents:*/ Please be aware that this is the first of two ballots you will be given access to. This ballot will list only Federal contests (President/Vice President, U.S. Senate and Congressional offices). The second ballot, to be made available the first week in October, will list State contests for Supreme Court Justice, State Senate, State Assembly and any local contests (county/town/village). More detailed information on this has been included inside the downloadable file containing your ballot. ------------------------------ Date: Sep 23, 2012 6:38 PM From: "Jonathan S. Shapiro" <shap_at_eros-os.org> Subject: No Fundamental Right to a Secret Ballot [Via Dave Farber's IP] Excerpt from Examiner.com article<http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot> On Friday, Federal Judge Christine Arguello dismissed a case by Citizen Center, a voter protection and election transparency organization regarding the privacy of ballots in Boulder, Chaffee and Eagle Counties... The ruling, which members of the organization have called *shocking*, argues that there is no constitutional right to a secret ballot. Online article here: http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot It will be interesting to see what happens with this. The ruling is surprising and deeply problematic, but I'm not aware of anything in the constitution that guarantees voter privacy. I'm inclined to think that Justice Arguello might be on firm constitutional ground here. As I read Article 1, Section 4, the question of voter anonymity for Legislative Branch elections appears to be a state-decided issue. For the Executive Branch election process, the states have *complete* discretion in setting the rules for choice of Electors, and I see nothing in Article 2, Section 1, or Amendment 18 that precludes a state from requiring full transparency of voting at the Elector level. Oh what a fascinating digital age we live in. ------------------------------ Date: Thu, 06 Sep 2012 14:27:32 -0700 From: Gene Wirchenko <genew_at_private> Subject: "One poor security choice results in $250,000 Bitcoin heist" Ted Samson, *InfoWorld*, 06 Sep 2012 http://www.infoworld.com/t/cyber-crime/one-poor-security-choice-results-in-250000-bitcoin-heist-201814 One poor security choice results in $250,000 Bitcoin heist Bitfloor operator admits to leaving unencrypted wallet keys laying around, leading to theft of 24,000 Bitcoins ------------------------------ Date: Thu, 20 Sep 2012 09:42:56 +1000 From: George Michaelson <ggm_at_private> Subject: SPAM with Calendar invites risks... I'm being told that a (new?) class of SPAM with embedded Calendar invites is triggering 'do you want to attend' interactions with Mail.app on OSX. These popups have no exit which doesn't cause a reply to the embedded IP in the invite. ie, the SPAM can force you to an interaction. If true.. worrysome. ------------------------------ Date: Tue, 18 Sep 2012 20:27:03 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des_at_private> Subject: Authentication monoculture Most Norwegian financial institutions participate in a decentralized authentication network called BankID. Briefly summarized, you choose one institution as your primary identity provider, and when you log in on that or any other participating institution's web site, your identity provider handles authentication and certifies to the relying party that you are who you say you are. It's a bit like OpenID, but not quite; more like eduroam, for those familiar with it. The interactive part of the authentication process is handled by a Java applet. One risk is immediately obvious: compromise Java and you've compromised the entire system. During the recent Java debacle, there was at least one report of a user being asked for his credit card number instead of (or in addition to?) his BankID credentials. There is another, more insidious risk. While BankID is opt-in for the customer, once activated, it is enabled for *all* participating institutions - and there is no way to opt out of opting in, so to speak. What does this mean? It's quite simple: someone steals your passport and all your credit cards. You immediately report the theft, notify your bank and credit card issuer, etc. and you're safe, right? Not so - whoever has your passport and looks a bit like you can, if they act quickly, open an account in your name at a different bank, select that bank as their BankID provider, and immediately gain access to all your accounts in all participating institutions. This particular hole has received some press coverage, so I suppose it will be plugged quickly - but it probably won't be long until someone finds another. DES Dag-Erling Sm?rgrav - des_at_private ------------------------------ Date: Tue, 25 Sep 2012 12:45:06 -0400 From: Jeffrey Walton <noloader_at_private> Subject: [funsec] Data breach at IEEE.org: 100k plaintext passwords [Forwarded message from Jeffrey Walton <noloader_at_private>, via RicKulawiec in Dave Farber's IP, truncated for RISKS. PGN] I expected better from IEEE. http://ieeelog.com IEEE suffered a data breach which I discovered on Sep 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available to anyone else. ... Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. Separately, spectrum.ieee.org visitor activity is also publicly available. The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it). On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users (sometimes even after the log was anonymized as in the "AOL incident" [3]). However, this case is much worse, since 411.308 of the log entries contain both usernames and passwords. Out of these, there seem to be 99.979 unique usernames. If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake. Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring or intrusion detection) could pose a threat to the privacy of users. ------------------------------ Date: Fri, 14 Sep 2012 11:20:03 -0700 (PDT) From: Thomas Dzubin <dzubint_at_private> Subject: Risks of linking information from Facebook leads to bigamy charges Facebook likes to suggest friends of friends to people with the "People You May Know" feature. Unfortunately, this can lead to some unintended consequences. http://www.theglobeandmail.com/technology/digital-culture/social-web/facebook-pics-of-secret-wife-lead-to-bigamy-charges/article552557/ Thomas Dzubin, Saskatoon, Vancouver, or Calgary CANADA ------------------------------ Date: Fri, 21 Sep 2012 17:10:45 -0700 From: Lauren Weinstein <pfir_at_private> Subject: Facebook wants you to snitch on your friends not using their real names http://j.mp/PvI0I7 (Paul Bernal's Blog) "A story about Facebook went around twitter last night that provoked quite a reaction in privacy advocates like me: Facebook, it seems, is experimenting with getting people to 'snitch' on any of their friends who don't use their real names." - Paul Bernal Facebook appears to claim that such snitching "won't affect your friends' accounts" (now? later?) ... perhaps suggesting it's "only" for data analysis purposes. Maybe so, but it's still seriously creepy, Zuck. ------------------------------ Date: Mon, 24 Sep 2012 17:29:13 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Facebook reveals its evil plans" (Cringely) http://www.infoworld.com/t/cringely/facebook-reveals-its-evil-plans-203126 InfoWorld Home / Notes from the Field September 24, 2012 Facebook reveals its evil plans Facebook has announced it will start logging users' searche and track their real world purchases. And so it begins By Robert X. Cringely | InfoWorld ------------------------------ Date: Fri, 7 Sep 2012 00:14:11 -0700 (PDT) From: Paul Robinson <paul_at_paul-robinson.us> Subject: A new nasty virus and an excellent tool to counter it and others I stumbled upon a really nasty virus on one of my computers running Windows XP, this one bringing up notices that the hard drive is having read errors. Which is strange, it's a 2 terabyte drive I bought maybe 18 months ago and has a 5 year warranty (I bought it for about $90; I just lucked out because hard drive prices doubled shortly after that.) Anyway, I don't even recognize the program - supposedly an anti-virus program - that's telling me about these errors. And, of course, what's running is a so-called "demo" version which tells you about errors but you have to pay for the full version to get it to fix them. Well, for curiosity I tried the link for the "full version" and apparently either it's not there any more or it can't be reached. Anyway, I realized that this was another one of those fake anti-virus programs that actually are a virus or trojan horse, infecting your system or in some way making it look like you're infected with something worse, and demanding payment to "fix" the nonexistent problem. In simple terms, electronic extortion. But I think it hoisted itself on its own petard; it deleted or blocked the networking software that my computer uses to connect to the Internet, so if they're trying to collect money from people thinking it's a legitimate anti-virus, it locked itself out of the Internet! (My desktop is connected by USB wireless adapter so that I don't have to run wires all over the place, so lose the driver for it and I lose the Internet.) This extortion program is really nasty, because it's figured out how to hide everything; the C drive literally appears as nothing is present and all directories (which supposedly aren't there) are also empty. Even the desktop is almost blank except for a couple items. While it might not be that hard to hide files to Windows or Windows explorer, it's even figured out how to make files disappear to the command interpreter CMD.EXE. Your C drive becomes empty - a big red flag, because if the C drive is empty, Windows wouldn't even start - and the program is a bit too smart for its own good, in an attempt to hide everything, if you're in the directory assigned to the desktop, and you go up one directory, the subdirectory you just left isn't there any more. Dragging something out of the recycling bin to the desktop causes *nothing* to happen, which is a neat trick. And it clears out the start menu except for itself. If you've never seen an absolutely blank start menu - even My Computer is missing - you're in for a big surprise. Another hint that it's basically pulling a stunt to hide directory listings is that the usual programs that run in the background are showing their icons in the bottom right corner of Systray, so it's rather interesting to see that supposedly there are hard drive errors popping up, but the usual stuff that runs in the background at startup is still there, even if you can't see the startup folder in the Start Menu and those very same files are not present in a directory listing. And what's more interesting that it is able to continue to replicate this behavior even in Safe Mode. The desktop is basically coming up blank except for this program's shortcut and the recycle bin. And the Start Menu is still blank. Well, I have found a very useful, free tool to fix really badly infected or contaminated or corrupted systems, especially when the people who put the so-called anti-virus or whatever software have killed the TCP/IP stack so badly that you can't even connect to the Internet through an Ethernet cable (I had two laptops my Sister asked me to take a look at because the Internet stopped working.) This program is called Combofix, it is recommended to only download it from the people who release it at www.bleepingcomputer.com, and it is regularly updated so if you have an old version it will warn you. So I downloaded the latest release on another computer, copied it to a jump drive, and proceeded to use it. Problem is, with the start menu blank it really makes it difficult to do anything; even the RUN command is missing. But, there is one save which I didn't know about until I right-clicked on the recycling bin: Command Prompt. And sure enough, I get to a command prompt for the desktop, and a DIR command says it's empty. But I found one way around the emptiness of the system from this program. It doesn't block anything but the C drive; if you plug a jump drive into it, you can see that drive and its contents. I copy combofix over from the jump drive and it shows up, so I run it. It unpacks itself and goes to work; I respond to a couple of prompts as it finds a few things that are missing, and I otherwise just let it go as it has about 45 passes to fix things on the system. I come back to it a while later, and there's a file being shown from Notepad with a huge list of things it's fixed and stuff it's removed. Close that and I can see that all the icons that were there are now back on the desktop. Somehow the networking software for the wireless adapter got lost, but I had the CD and reinstalled it. I am able to use that computer to post this message. So I recommend anyone who has to worry about the risk of a computer losing its Internet connection or having been hit by a virus infection, get a copy of Combofix and run it. It's free, it's very good, and in some really bad cases will do an excellent job of fixing things. ------------------------------ Date: Mon, 24 Sep 2012 14:41:32 -0600 From: Jim Reisert AD1C <jjreisert_at_private> Subject: 20% of new PCs in China come with malware pre-installed Wolfgang Gruener, 24 Sep 2012 (source: Microsoft) "In China, there is not much you have to do to contract a virus on your PC. Plus, you have a one in five chance that you will get that first virus on your brand new PC right out of the box." "Microsoft revealed this finding in a new whitepaper and attributes the high rate of infections of PCs to a shaky supply chain structure that does not prevent the presence of counterfeit products. To lower the cost of a new PC, potentially compromised products are sometimes knowingly accepted. It does not take much to see that this scenario is a goldmine for malware makers and allows the malware business to flourish." http://www.tomshardware.com/news/microsoft-pc-windows-security-china,17758.html There's a link to a more detailed Microsoft blog post here: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain https://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx "The discovery and successive action against the Nitol botnet stemmed from a Microsoft study looking into unsecure supply chains. The study confirmed that cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people. In fact, twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware. Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends and co-workers to become infected with malware when simply sharing computer files." It really *does* sound a like a disease! Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us ------------------------------ Date: Tue, Sep 25, 2012 at 1:06 PM From: Lauren Weinstein <lauren_at_private> Subject: Hidden web code means hackers 'can wipe Samsung Galaxy S3' Hidden web code means hackers 'can wipe Samsung Galaxy S3' http://j.mp/QvVlCa (Telegraph UK) "Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered." - - - As bad as this exploit is, you can of course restore much of this data automatically from Google servers even after a factory reset. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren nnsquad mailing list http://lists.nnsquad.org/mailman/listinfo/nnsquad ------------------------------ Date: Thu, 06 Sep 2012 14:18:46 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Leaked Apple IDs ..." http://www.infoworld.com/t/data-security/leaked-apple-ids-expose-holes-in-corporate-information-security-201608 InfoWorld Home / InfoWorld Tech Watch September 04, 2012 Leaked Apple IDs expose holes in corporate information security Most organizations suffering data breaches don't enforce security policies, study finds By Ted Samson | InfoWorld http://www.infoworld.com/d/security/fbi-denies-it-was-source-of-leaked-apple-device-id-data-201644 InfoWorld Home / Security / News September 05, 2012 FBI denies it was source of leaked Apple device ID data Hacking group AntiSec claimed earlier it had accessed 12 million UDIDs from an FBI agent's computer By Jaikumar Vijayan | Computerworld [Subsequently, "Blue Toad admits it was source of leaked Apple UDIDs". PGN] http://www.infoworld.com/t/data-security/blue-toad-admits-it-was-source-of-12-million-leaked-apple-udids-202037 ------------------------------ Date: Thu, 06 Sep 2012 20:47:40 -0700 From: Henry Baker <hbaker1_at_private> Subject: Re: When GPS Confuses, You May Be to Blame (Stross, Kruk) When I explained how the Google self-driving car could drive itself, my wife said such a capability would help in taking drunk drivers off the road. But it then occurred to both of us that a drunk "driver" is just as likely to tell a Googlized car to take him/her to the wrong place -- perhaps even 3,000 miles from his/her intended destination. "I'm sorry, Dave -- I don't have enough gas to take you to Home" (in Pennsylvania, 60 miles NE of Pittsburgh). http://www.itsallgood.itgo.com/photo4.html (As you can see from this web site, my example could have been a _lot_ worse! ;-) ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.03 ************************Received on Sat Sep 29 2012 - 14:29:44 PDT
This archive was generated by hypermail 2.2.0 : Sat Sep 29 2012 - 15:09:48 PDT