[RISKS] Risks Digest 27.16

From: RISKS List Owner <risko_at_private>
Date: Thu, 14 Feb 2013 14:54:03 PST
RISKS-LIST: Risks-Forum Digest  Thursday 14 February 2013  Volume 27 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.16.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Super Bowl blackout was caused by electrical relay (Kevin McGill via
  Henry Baker)
Safety investigators identify origin of Boeing 787 battery fire (Jim Reisert)
Jared Diamond on risk assessment (Paul Edwards)
Man allegedly follows GPS directions to wrong house; shot dead
  (Chris Matyszczyk via Monty Solomon)
Hackers in China Attacked The New York Times for Last 4 Months
  (Nicole Perlroth)
Infiltrate anybody, one-click easy (Steve Summit)
"U.S. Said to Be Target of Massive Cyber-Espionage Campaign"
  (Ellen Nakashima via ACM TechNews)
Visa suspicious activity (Leslie Maltz)
Password Cracking AES-256 DMGs and Epic Self-Pwnage (Jeremiah Grossman
  via Monty Solomon)
Subject: Security Firm Bit9 Hacked, Used to Spread Malware Security Firm
  Bit9 Hacked, Used to Spread Malware (Lauren Weinstein)
"Researchers devise new attack techniques against SSL"  (Lucian Constantin
  via Gene Wirchenko)
Deloitte predicts that in 2013 more than 90 percent of user-generated
  passwords will be vulnerable to hacking (Jim Reisert)
"Canadian business and technology associations oppose anti-spam regulations"
  (Gene Wirchenko)
"Data breach exposes Energy Department's 'continuing story of negligence'"
  (Gene Wirchenko)
"9 iPhone and iPad apps that invade your privacy, and 1 that doesn't"
  (Tom Kaneshige via Gene Wirchenko)
Mandatory Black Boxes in Cars (Nate Cardozo EFF Press)
Apparent issue with Facebook Connect is dragging people from around the Web
  to a moot error page (The Next Web via NNSquad)
Did Facebook Just Break Half the Internet? (Gawker via NNSquad)
"How Facebook Connect took down the Web" (Peter Wayner via Gene Wirchenko)
Read this book by Ross Anderson.  It's free. (Rob Slade)
FOSE 2013 (Sarah Kneip)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 08 Feb 2013 17:36:06 -0800
From: Henry Baker <hbaker1_at_private>
Subject: Super Bowl blackout was caused by electrical relay (Kevin McGill)

  [FYI -- When IBM service engineers did this sort of thing, we called it
  "causative maintenance"...]

Kevin McGill, Super Bowl blackout was caused by [faulty] electrical relay,
Associated Press, 8 Feb 2013
http://www.sfgate.com/news/article/Super-Bowl-blackout-was-caused-by-electrical-relay-4262813.php

NEW ORLEANS -- The company that supplied electricity to the Super Bowl says
the blackout that halted the big game was caused by a device it installed
specially to prevent a power failure.  But the utility stopped short of
taking all the blame and said Friday that it was looking into whether the
electrical relay at fault had a design flaw or a manufacturing defect.

The relay had been installed as part of a project begun in 2011 to upgrade
the electrical system serving the Superdome in anticipation of the
championship game. The equipment was supposed to guard against problems in
the cable that links the power grid with lines that go into the stadium.

"The purpose of it was to provide a newer, more advanced type of protection
for the Superdome," Dennis Dawsey, an executive with Entergy Corp., told
members of the City Council. Entergy is the parent company of Entergy New
Orleans, the city's main electric utility.

Entergy officials said the relay functioned with no problems during
January's Sugar Bowl and other earlier events. It has been removed and will
be replaced.  ...  The relay was installed in a building near the stadium
known as "the vault," which receives a line directly from a nearby Entergy
substation. Once the line reaches the vault, it splits into two cables that
go into the Superdome.

Sunday's power failure cut lights to about half of the stadium, halting play
between the Baltimore Ravens and San Francisco 49ers and interrupting the
nation's most-watched sporting event for 34 minutes.

Not long after the announcement, the manufacturer of the relay,
Chicago-based S&C Electric Co., released a statement saying that the
blackout occurred because system operators had put the relay's so-called
trip setting too low to allow the device to handle the incoming electric
load.  "If higher settings had been applied, the equipment would not have
disconnected the power," said Michael J.S. Edmonds, vice president of
strategic solutions for S&C.  In a follow-up statement, Entergy said that
tests conducted by S&C and Entergy on the two relays at the Superdome showed
that one worked as expected, the other did not.  Entergy spokesman Mike
Burns said both relays had the same trip setting.  Entergy's announcement
came shortly before company officials went before a committee of the City
Council, which is the regulatory body for the company.

   [Truncated for RISKS.  The article continues with somewhat less
   expressed certainty as to the cause(s).  PGN]

------------------------------

Date: Thu, 7 Feb 2013 16:42:17 -0700
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: Safety investigators identify origin of Boeing 787 battery fire

Washington (CNN) -- Federal safety officials said Thursday they have
identified the origin of the battery fire on a Boeing 787 Dreamliner last
month, and are turning their microscopes on an aircraft approval process in
which the airplane builder evidently greatly underestimated the chances of
battery failure.

Boeing had estimated a "smoke" event would occur "less than once in 10
million flight hours" with the Dreamliner's novel lithium-ion batteries,
National Transportation Safety Board chairwoman Deborah Hersman said. But
after fewer than 100,000 hours of actual flight, two batteries failed, one
culminating in a fire.

Further, Boeing's indications that heat damage in one battery cell would not
harm adjacent cells proved false, Hersman said.

"The assumptions used to certify the battery must be reconsidered," Hersman
said.

http://www.cnn.com/2013/02/07/travel/dreamliner-battery-investigation/

Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us

  [Get it from the horse's mouth: The National Transportation Safety Board:
    http://www.ntsb.gov/news/2013/130207.html
  PGN]

------------------------------

Date: Wed, 30 Jan 2013 21:39:55 +1100
From: Paul Edwards <paule_at_private>
Subject: Jared Diamond on risk assessment

http://www.nytimes.com/2013/01/29/science/jared-diamonds-guide-to-reducing-lifes-risks.html?src=me&ref=general

  "If I'm to achieve my statistical quota of 15 more years of life, that
  means about 15 times 365, or 5,475, more showers. But if I were so
  careless that my risk of slipping in the shower each time were as high as
  1 in 1,000, I'd die or become crippled about five times before reaching my
  life expectancy. I have to reduce my risk of shower accidents to much,
  much less than 1 in 5,475."

This article provides a useful and clear overview of risk assessment (of the
non-IT kind). It may be of use to folks who need to educate their users...

------------------------------

Date: Fri, 1 Feb 2013 08:57:50 -0500
From: Monty Solomon <monty_at_private>
Subject: Man allegedly follows GPS directions to wrong house; shot dead
  (Chris Matyszczyk)

Chris Matyszczyk, CNET, 29 Jan 2013
Friends say a man in his early 20s was picking up one more of their group to
go skating, when his GPS took him to the wrong house and the home-owner
allegedly shot him dead, later saying he feared a home invasion.
http://news.cnet.com/8301-17852_3-57566488-71/man-allegedly-follows-gps-directions-to-wrong-house-shot-dead/

Two portraits emerge of Lilburn shooter
http://www.ajc.com/news/news/man-69-accused-of-killing-man-who-went-to-wrong-ho/nT8xp/

------------------------------

Date: Thu, 31 Jan 2013 11:50:12 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Hackers in China Attacked The New York Times for Last 4 Months
  (Nicole Perlroth)

Nicole Perlroth, *The New York Times*, 30 Jan 2103
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?partner=rss&emc=rss&pagewanted=print

For the last four months, Chinese hackers have persistently attacked *The
New York Times*, infiltrating its computer systems and getting passwords for
its reporters and other employees.  After surreptitiously tracking the
intruders to study their movements and help erect better defenses to block
them, *The Times* and computer security experts have expelled the attackers
and kept them from breaking back in.  The timing of the attacks coincided
with the reporting for a *Times* investigation, published online on 25 Oct,
that found that the relatives of Wen Jiabao, China's prime minister, had
accumulated a fortune worth several billion dollars through business
dealings.

Security experts hired by *The Times* to detect and block the computer
attacks gathered digital evidence that Chinese hackers, using methods that
some consultants have associated with the Chinese military in the past,
breached *The Times*'s network. They broke into the e-mail accounts of its
Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen's
relatives, and Jim Yardley, *The Times*'s South Asia bureau chief in India,
who previously worked as bureau chief in Beijing.  "Computer security
experts found no evidence that sensitive e-mails or files from the reporting
of our articles about the Wen family were accessed, downloaded or copied,"
said Jill Abramson, executive editor of *The Times*.

The hackers tried to cloak the source of the attacks on *The Times* by first
penetrating computers at United States universities and routing the attacks
through them, said computer security experts at Mandiant, the company hired
by *The Times*. This matches the subterfuge used in many other attacks that
Mandiant has tracked to China.

The attackers first installed malware - malicious software - that enabled
them to gain entry to any computer on *The Times*'s network. The malware was
identified by computer security experts as a specific strain associated with
computer attacks originating in China. More evidence of the source, experts
said, is that the attacks started from the same university computers used by
the Chinese military to attack United States military contractors in the
past.

Security experts found evidence that the hackers stole the corporate
passwords for every *Times* employee and used those to gain access to the
personal computers of 53 employees, most of them outside The Times's
newsroom. Experts found no evidence that the intruders used the passwords to
seek information that was not related to the reporting on the Wen family.
No customer data was stolen from *The Times*, security experts said.

  [Long but very worthy article truncated for RISKS.  Steve Summit picked
  up on one paragraph that I deleted, below.  PGN]

------------------------------

Date: Sat, 02 Feb 2013 05:52:42 -0800
From: scs_at_private (Steve Summit)
Subject: Infiltrate anybody, one-click easy

Attackers -- allegedly from China -- infiltrate the editorial offices of
the New York Times for several months:
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html

One point particularly stands out for me:

  "Investigators [...] suspect the hackers used a so-called spear-phishing
  attack, in which they send e-mails to employees that contain malicious
  links or attachments.  All it takes is one click on the e-mail by an
  employee for hackers to install 'remote access tools' -- or RATs."

I'm afraid I know the answer(s), but I have to ask: why in the world do we
put up with this?  What once was unthinkable -- what amounts to remote
execution of untrusted code on any machine, essentially at will -- is
routine.  (And, yes, I understand that what's typically going on is not
direct execution of simple .exe-format attachments, but rather exploitation
of bugs in complex but popular attachment-handling programs such as Acrobat
and Flash, but the net effect would seem to be exactly the same.)  The
too-familiar entreaties to users to "be careful of clicking on suspicious
attachments" do not and cannot work, but it's almost as if we've decided
those entreaties are all we can do, that any technological fixes in parallel
-- such as closing the holes in those attachment-handling programs once and
for all, or replacing them with inherently more secure approaches -- are
impossible.

------------------------------

Date: Mon, 11 Feb 2013 12:30:27 -0500
From: ACM TechNews <technews_at_private>
Subject: "U.S. Said to Be Target of Massive Cyber-Espionage Campaign"
  (Ellen Nakashima)

Ellen Nakashima, *The Washington Post*, 10 Feb 2013
[via ACM TechNews, Monday, February 11, 2013]

The United States is the target of a massive, sustained cyber-espionage
campaign that threatens the country's economic competitiveness, according to
the National Intelligence Estimate (NIE).  The report identifies China as
the most aggressive country in trying to penetrate U.S. computer systems,
although Russia, Israel, and France also were cited as having engaged in
hacking for economic intelligence.  Cyber-espionage increasingly is
threatening the U.S.'s economic interests and the Obama administration is
looking for ways to counter the online theft of trade secrets.  "We need the
NIE on cyber for a systematic and comprehensive understanding of what the
most dangerous technologies are, who are the most threatening actors, and
what are our greatest vulnerabilities," says former deputy defense secretary
William J. Lynn III.  A majority of China's cyberattacks are thought to be
aimed at commercial targets with ties to military technology.  "The problem
with foreign cyber-espionage is not that it is an existential threat, but
that it is invisible, and invisibility promotes inaction," according to a
former government official.  "It's fair to say we're already living in an
age of state-led cyberwar, even if most of us aren't aware of it," says
Google CEO Eric Schmidt.

http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html?hpid=z1

------------------------------

Date: Monday, January 28, 2013
From: Leslie Maltz
Subject: Visa suspicious activity

This afternoon for at least 4 hours, Visa was denying purchases for
thousands of cardholders.  Visa claimed they had a system meltdown. I
watched as someone was turned down on a minimal purchase using a VISA
obtained through Barclay's Bank.  When on the phone with Visa customer
service, all they would admit was "all" their systems were down all
afternoon and that they were getting thousands of calls from customers.

All this sounds very suspicious.  Perhaps someone from IP knows more about
the problem and whether it was a real system failure or a denial of service
attack or some other hack.

------------------------------

Date: Sun, 10 Feb 2013 12:28:23 -0500
From: Monty Solomon <monty_at_private>
Subject: Password Cracking AES-256 DMGs and Epic Self-Pwnage
  (Jeremiah Grossman)

Jeremiah Grossman, WhiteHat Security Blog, 7 FEB 2013

Two weeks ago I was in the midst of a nightmare. I'd forgotten a
password. Not just any password. THE password. Without this one password I
was cryptographically locked out of thousands and gigabytes worth of files I
care about. Highly sensitive and valuable files that include work documents,
personal projects, photos, code snippets, notes, family stuff, etc. The
password in question unlocks these files from the protection of locally
stored AES-256 encrypted disk image. A location where an "email me a
password reset link" is not an option. File backups? Of course! Encrypted
the same way with the same password. Password paper backup? Nope. I'll get
to that. I somehow needed to "crack" this password. If not, the amount of
epic self-pwnage would be too horrible to imagine.

Before sharing how I got myself into this predicament, it's necessary to
reveal some details about my personal computer security habits.  More
specifics than I'm normally comfortable sharing. ...

http://blog.whitehatsec.com/cracking-aes-256-dmgs-and-epic-self-pwnage/

------------------------------

Date: February 8, 2013 6:17:30 PM EST
From: Lauren Weinstein <lauren_at_private>
Subject: Security Firm Bit9 Hacked, Used to Spread Malware Security Firm
  Bit9 Hacked, Used to Spread Malware
http://j.mp/Z0tyPT  (Krebs via NNSquad)

  "Bit9, a company that provides software and network security services
   to the U.S. government and at least 30 Fortune 100 firms, has suffered
   an electronic compromise that cuts to the core of its business:
   helping clients distinguish known "safe" files from computer viruses
   and other malicious software.  Waltham, Massachusetts-based Bit9 is a
   leading provider of "application whitelisting" services, a security
   technology that turns the traditional approach to fighting malware on
   its head. Antivirus software, for example, seeks to identify and
   quarantine files that are known bad or strongly suspected of being
   malicious. In contrast, Bit9 specializes in helping companies develop
   custom lists of software that they want to allow employees to run, and
   to treat all other applications as potentially unknown and dangerous.
   But earlier today, Bit9 told a source for KrebsOnSecurity that their
   corporate networks had been breached by a cyberattack. According to
   the source, Bit9 said they'd received reports that some customers had
   discovered malware inside of their own Bit9-protected networks,
   malware that was digitally signed by Bit9s own encryption keys."

------------------------------

Date: Thu, 07 Feb 2013 12:46:32 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Researchers devise new attack techniques against SSL"
  (Lucian Constantin)

Lucian Constantin, IDG News Service, *InfoWorld*, 06 Feb 2013
https://www.infoworld.com/d/security/researchers-devise-new-attack-techniques-against-ssl-212343

Almost all libraries used for implementing some of the Internet's most
important security protocols are likely to be vulnerable to the new 'Lucky
Thirteen' attacks

------------------------------

Date: Thu, 7 Feb 2013 16:43:37 -0700
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: Deloitte predicts that in 2013 more than 90 percent of
 user-generated passwords will be vulnerable to hacking

  "Deloitte predicts that in 2013 more than 90 percent of user-generated
  passwords, even those considered strong by IT departments, will be
  vulnerable to hacking. Inadequate password protection may result in
  billions of dollars of losses, declining confidence in Internet
  transactions and significant damage to the reputations of the companies
  compromised by attacks. As the value of the information protected by
  passwords continues to grow, attracting more hack attempts, high-value
  sites will likely require additional forms of authentication."

http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm

I wonder what is considered "user-generated?"  Because I use LastPass
to generate random 8-character passwords for all my accounts, are
these considered to be user-generated?  I know sites that won't even
let you have a password more than 8 characters long.  I better go to
12 characters moving forward.

Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us

  [I suspect `user-generated' is intended to mean ones you generate yourself
  without supposedly clever tools.  But if you are using well-known
  supposedly clever tools predictably, that may be riskful as well,
  or may be irrelevant if your passwords have been sniffed -- perhaps
  even as they are generated...  PGN]

------------------------------

Date: Thu, 07 Feb 2013 10:26:44 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Canadian business and technology associations oppose anti-spam
  regulations"

Brian Jackson, A group of 13 associations say the proposed regulations for
Canada's anti-spam law go too far, *IT Business*, 6 Feb 2013
  http://www.itbusiness.ca/it/client/en/home/News.asp?id=69877

opening paragraph:

A list of 13 business and technology associations in Canada are using the
opportunity to comment on the proposed anti-spam regulations to fight for
the right to put spyware on your computer and mobile devices, according to
one Internet law expert.

------------------------------

Date: Tue, 05 Feb 2013 09:37:32 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Data breach exposes Energy Department's 'continuing story of
  negligence'"

InfoWorld, 5 Feb 2013
U.S. Department of Energy claims no classified info was stolen by
hackers, just personal data belonging to employees
http://www.infoworld.com/t/hacking/data-breach-exposes-energy-departments-continuing-story-of-negligence-212246

------------------------------

Date: Mon, 04 Feb 2013 09:36:52 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "9 iPhone and iPad apps that invade your privacy, and 1 that doesn't"
  (Tom Kaneshige)

Tom Kaneshige, CIO, *InfoWorld*, 2 Feb 2013
Most iPhone and iPad apps appear harmless and fun, but some are
virtual Trojan horses that swipe personal data when you're not looking
http://www.infoworld.com/slideshow/84618/9-iphone-and-ipad-apps-invade-your-privacy-and-1-doesnt-212035

------------------------------

Date: February 11, 2013 5:53:32 PM EST
From: Nate Cardozo EFF Press <press_at_private>
Subject: Mandatory Black Boxes in Cars

Nate Cardozo
 Staff Attorney
 Electronic Frontier Foundation
 nate_at_private
 +1 415 436-9333 x146

Mandatory Black Boxes in Cars Raise Privacy Questions
EFF Urges Strict Rules to Protect Drivers' Data

San Francisco - The Electronic Frontier Foundation (EFF) urged the National
Highway Traffic Safety Administration (NHTSA) today to include strict
privacy protections for data collected by vehicle "black boxes" to protect
drivers from long-term tracking as well as the misuse of their information.

Black boxes, more formally called event data recorders (EDRs), can serve a
valuable forensic function for accident investigations, because they can
capture information like vehicle speed before the crash, whether the brake
was activated, whether the seat belt was buckled, and whether the airbag
deployed.  NHTSA is proposing the mandatory inclusion of black boxes in all
new cars and light trucks sold in America.  But while the proposed rules
would require the collection of data in at least the last few seconds before
a crash, they don't block the long-term monitoring of driver behavior or the
ongoing capture of much more private information like audio, video, or
vehicle location.

"The NHTSA's proposed rules fail to address driver privacy in any meaningful
way," said EFF Staff Attorney Nate Cardozo.  "These regulations must include
more than minimum requirements of what should be collected and stored --
they need a reasonable maximum requirement as well."

The current NHTSA proposal mandates a boilerplate notice to consumers that
"various systems" are being monitored.  The plan also calls for a commercial
tool to be made available to allow user access to black box data.  In its
comments submitted to the NHTSA today, EFF calls for complete and
comprehensive disclosure of data collection as well as a free and open
standard to access black box information.

"The information collected by EDRs is private and must remain private until
the car owner consents to its use," said Cardozo.  "Consumers deserve full
disclosure of what is being collected, when, and how, as well as an easy and
free way of accessing this data on their own.  Having to buy access to your
own data is not reasonable. "

In addition to submitting its own comments to the NHTSA today, EFF also
joined the Electronic Privacy Information Center and a broad coalition of
privacy, consumer rights, and civil rights organizations in comments urging
the NHTSA to adopt specific, privacy-protecting amendments to its proposed
rules.

For EFF's full comments submitted to the NHTSA:
https://www.eff.org/document/effs-comments-nhtsa-about-black-boxes-cars

For this release:
https://www.eff.org/press/releases/mandatory-black-boxes-cars-raise-privacy-questions

About EFF

The Electronic Frontier Foundation is the leading organization protecting
civil liberties in the digital world. Founded in 1990, we defend free speech
online, fight illegal surveillance, promote the rights of digital
innovators, and work to ensure that the rights and freedoms we enjoy are
enhanced, rather than eroded, as our use of technology grows. EFF is a
member-supported organization.  Find out more at https://www.eff.org.

------------------------------

Date: Thu, 7 Feb 2013 16:31:49 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Apparent issue with Facebook Connect is dragging people
  from around the web to a moot error page

  "The URL is garbled, but given the plethora of sites that you can hit to
  reach this page, TNW is laboring under the presumption that Facebook
  Connect is to blame. When you hit the blue 'Okay' button, you will be
  taken to a blank screen. If you hit the back button, the page you had
  wished to be on will be served to you, but only until the problem kicks
  back in and Facebook takes you hostage again.  This is no small
  issue. Facebook is dragging people from other sites, to its own website,
  where it puts them into the above penalty box for no clear reason. Given
  the number of first-hand reports that TNW received on Twitter, this issue
  could affect millions the world around. The disruption that Facebook is
  currently causing could cost its partners big ad dollars.  Feel free to
  list sites that you are seeing the problem with in the comments. Keith
  Plocek on Twitter dubbed the situation "Facebookmageddon." Not unfitting,
  frankly."  http://j.mp/V2hkTx  (*The Next Web* via NNSquad)

------------------------------

Date: Thu, 7 Feb 2013 17:22:55 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Did Facebook Just Break Half the Internet?

http://j.mp/V2nOlf  (Gawker via NNSquad)

  "UPDATE: Facebook responded with the following statement: For a short
  period of time, there was a bug that redirected people logging in with
  Facebook from third party sites to Facebook.com. The issue was quickly
  resolved, and Login with Facebook is now working as usual.  We've asked
  for more information. But in the meantime, it's good to know one small
  glitch at Facebook can effectively disable the entire Internet by
  redirecting it to their site."

Why worry about terrorist attacks disrupting the Net when you've already got
Facebook?

  [PGN notes Lots of other items contributed on this incident.
  Gabe Goldberg noted
    Facebook and Instagram Users Asked To Upload IDs To Regain Access
  http://news.cnet.com/8301-1023_3-57565293-93/instagram-account-crackdown-spreads-panic-fear-of-hacking/

  Gene Wirchenko noted Ted Samson, *InfoWorld*, 8 Feb 2013,
    Facebook error that hijacks thousands of websites isn't just an
   'inconvenience'
  http://www.infoworld.com/t/internet-privacy/facebook-error-hijacks-thousands-of-websites-isnt-just-inconvenience-212518
  and also Roger A. Grimes, *InfoWorld*, February 12, 2013
  http://www.infoworld.com/d/security/facebooks-redirect-error-foretells-the-future-of-hacking-212656
  ]

------------------------------

Date: Wed, 13 Feb 2013 10:55:28 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "How Facebook Connect took down the Web" (Peter Wayner)

Peter Wayner, *InfoWorld*, 12 Feb 2013
Web hijacking wrought by Facebook Connect shows that both sites and
users may be ceding too much control to Facebook
http://www.infoworld.com/t/application-development/how-facebook-connect-took-down-the-web-212658

------------------------------

Date: Mon, 4 Feb 2013 15:44:58 -0800
From: Rob Slade <rmslade_at_private>
Subject: Read this book by Ross Anderson.  It's free.

I have been reviewing security books for over twenty years now.  When I
think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson
first published "Security Engineering" I was delighted to be able to tell
everyone that it was a worthwhile read.  If you are, in any way, interested
in, or working in, the field of security, there is something there for you.
Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and
then published the second edition, I was delighted to be able to tell
everyone that they should buy the second edition, but, if they didn't trust
me, they should read the first edition free, and then buy the second edition
because it was even better.

  http://victoria.tc.ca/int-grps/books/techrev/bkseceng.rvw

Now Ross has made the second edition available, online, for free:
  http://www.cl.cam.ac.uk/~rja14/book.html

Everyone should read it, if they haven't already done so.
(I am eagerly awaiting the third edition  :-)

rslade_at_private     slade_at_private     rslade_at_private
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

------------------------------

Date: Thu, 14 Feb 2013 06:37:47 -0800
From: "Sarah Kneip" <sarah_at_private>
Subject: FOSE 2013

FOSE (Federal Office Systems Exposition)(http://bit.ly/XR4PJE) is the
largest, most comprehensive event serving the government technology
community.  With a robust three-day program consisting of Keynote Speakers,
Educational Sessions, Government Tech Talks, New Product/Solution Showcases
and an App Arcade, FOSE is a must-attend event for the government technology
community.  From 14--16 May 2013, thousands of attendees will experience a
broad range of technologies including: enterprise, infrastructure, workplace
and mobile that are targeted to the specialized regulatory, security and
mission needs of government agencies.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.16
************************
Received on Thu Feb 14 2013 - 14:54:03 PST

This archive was generated by hypermail 2.2.0 : Thu Feb 14 2013 - 15:30:38 PST