Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 27.23
101 views
Skip to first unread message
RISKS List Owner
Mar 30, 2013, 7:58:56 PM3/30/13
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 30 March 2013 Volume 27 : Issue 23
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.23.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
IRS: Tax glitch affects about 660K returns (Heather Hollingsworth via
Monty Solomon)
Panama Canal Railway hit after upgrade (Bob Heuman)
Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth via
Monty Solomon)
More on Spamhaus et al. (sender anonymized by request)
More cyberscares from our governments (Lauren Weinstein)
SSL, RC4, and Site Administrators (Steve Bellovin)
Microwave oven interference robustness mode (jidanni)
Saudi Arabia 'threatens Skype ban' (Lauren Weinstein)
FBI wants real-time access to ... well ... pretty much everything (LW)
NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects (LW)
Big Data and a Renewed Debate Over Privacy (Steve Lohr via Monty Solomon)
Database Is Shut Down by NASA for a Review (Mark Mazzetti via Monty Solomon)
"12 hard truths about cloud computing" (Peter Wayner via Gene Wirchenko)
"One in six Amazon S3 storage buckets are ripe for data-plundering"
(Ted Samson via Gene Wirchenko)
Some digital cameras easily turned into spying devices (Lauren Weinstein)
Google offers *offline* language translation support for Android (LW)
Risks of using other people's libraries (Phil Nasadowski)
25,000 could be affected by data breach at Salem State University
(Monty Solomon)
"Twitter-shaming can cost you your job" (Ted Samson via Gene Wirchenko)
"Cisco inadvertently weakens password encryption in IOS (Lucian Constantin
via Gene Wirchenko)
Password must contain multiple character classes... (jidanni)
"Microsoft Employee Info Being Hacked Through Xbox Live" (Chris Paoli via
Gene Wirchenko)
"Updated Windows 8 apps not in sync with Google Calendar" (Woody Leonhard
via Gene Wirchenko)
Re: Small furry animals ... (jericho)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 25 Mar 2013 01:03:46 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: IRS: Tax glitch affects about 660K returns (Heather Hollingsworth)
Heather Hollingsworth, AP, 13 Mar 2013
KANSAS CITY, Mo. (AP) - A tax-preparation glitch affecting about 660,000 tax
returns will delay refunds by as long as six weeks, with customers of the
nation's largest tax preparer among those affected.
The Internal Revenue Service said in a statement that a problem with a
''limited number of software company products'' affected some taxpayers
filing a form used to claim educational credits between 14 and 22 Feb 2013.
The agency didn't name any companies in the statement, which it released
Tuesday, but Kansas City-based H&R Block has been informing customers about
problems. H&R Block spokesman Gene King said Wednesday that the company
isn't saying how many of its customers were affected by the problems with
Form 8863. ...
http://www.boston.com/news/education/2013/03/13/irs-tax-glitch-affects-about-returns/2RStz826IfaP2YS5fFILsK/story.html
------------------------------
Date: Sat, 23 Mar 2013 19:38:20 -0400
From: Bob Heuman <robert...@alumni.monmouth.edu>
Subject: Panama Canal Railway hit after upgrade
Reuters, 22 Mar 2013
http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323
Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday. The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway. But a computer upgrade on 20 Mar 2013 by Panama
Ports Co (which manages two of those ports) caused severe lags, Kenna said.
Since then, the railway has moved only about 350 containers a day. Traffic
picked up on Friday, and the system should be operating normally by Monday,
Kenna added.
------------------------------
Date: Wed, 27 Mar 2013 14:01:57 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth)
John Markoff and Nicole Perlroth, *The New York Times*, 26 Mar 2013
Firm Is Accused of Sending Spam, and Fight Jams Internet
A squabble between a group fighting spam and a Dutch company that hosts Web
sites said to be sending spam has escalated into one of the largest computer
attacks on the Internet, causing widespread congestion and jamming crucial
infrastructure around the world.
Millions of ordinary Internet users have experienced delays in services like
Netflix or could not reach a particular Web site for a short time.
However, for the Internet engineers who run the global network the problem
is more worrisome. The attacks are becoming increasingly powerful, and
computer security experts worry that if they continue to escalate people may
not be able to reach basic Internet services, like e-mail and online
banking.
The dispute started when the spam-fighting group, called Spamhaus, added the
Dutch company Cyberbunker to its blacklist, which is used by e-mail
providers to weed out spam. Cyberbunker, named for its headquarters, a
five-story former NATO bunker, offers hosting services to any Web site
"except child porn and anything related to terrorism," according to its Web
site.
A spokesman for Spamhaus, which is based in Europe, said the attacks began
on March 19, but had not stopped the group from distributing its blacklist.
Patrick Gilmore, chief architect at Akamai Networks, a digital content
provider, said Spamhaus's role was to generate a list of Internet spammers.
Of Cyberbunker, he added: "These guys are just mad. To be frank, they got
caught. They think they should be allowed to spam." ...
http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html
------------------------------
Date: Wed, 27 Mar 2013 09:48:41 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: More on Spamhaus et al. (Another sender, anonymized by request)
[I don't like sending out anonymized messages, but it appears that many
legit users are simply terrified of upsetting Spamhaus. Via NNSquad.
Lauren]
Date: Wed, 27 Mar 2013 NN:09:11 -NNNN
From: []
Subject: More on Spamhaus et al. [Another sender anonymized by request]
On 27 Mar, [] wrote:
Spamhaus has selected some of my IP addresses now and then for lock down
as well -- even though they never demonstrated any proof of any sort that
there was any good reason. Indeed there was none. Then I found out that
they false positive list about 90,000 IPs a day -- according to them. And
I found out what it takes to get removed -- which is excessive for the
fact that they are acting without basis and from a location where class
action suits are not going to work. They won't even reveal their real
names.
In any case, vigilante injustice is not what the Internet needs.
------------------------------
Date: Thu, 28 Mar 2013 19:38:03 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: More cyberscares from our governments
"Cyberattacks Seem Meant to Destroy, Not Just Disrupt"
http://j.mp/10eldVl (New York Times)
Mr. Obama's goal was to erode the business community's intense opposition
to federal legislation that would give the government oversight of how
companies protect "critical infrastructure," like banking systems and
energy and cellphone networks. That opposition killed a bill last year,
prompting Mr. Obama to sign an executive order promoting increased
information-sharing with businesses. "But I think we heard a new tone at
this latest meeting," an Obama aide said later. "Six months of unrelenting
attacks have changed some views."
In a word regarding this entire article: bull. My bet is that most of this
stuff is coming from the functional equivalent of pimple-faced kids in their
parents' basements in Cleveland. Hell, sad to say, I wouldn't be all that
surprised if our own governments are behind many of the attacks on our own
companies. This is all about our own governments wanting to scare the hell
out of us so that we'll let them and their cyberscare-industrial complex
buddies get more and more powerful, richer and richer, and won't complain as
they tap our networks just like they've wanted to do pretty much all along.
And we're falling for it, boys and girls.
------------------------------
Date: Fri, Mar 29, 2013 at 3:38 PM
From: Federal Trade Commission <subs...@subscribe.ftc.gov>
Subject: SSL, RC4, and Site Administrators
[image: Tech@FTC Banner] <http://techatftc.wordpress.com/>
Steve Bellovin
SSL, RC4, and Site Administrators
<http://techatftc.wordpress.com/2013/03/29/ssl-rc4-and-site-administrators/>
There's been yet another report of security problems with SSL.
<http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/>
If you run a website or mail server, you may be wondering what to do about
it. For now, the answer is simple: nothing -- and don't worry about it.
First of all, at the moment there's nothing to do. You can't invent your
own cryptographic protocol; no one else would have a compatible browser.
Besides, they're notoriously hard to get right. In the very first paper on
the topic, Roger Needham and Michael Schroeder wrote ``Finally, protocols
such as those developed here are prone to extremely subtle errors that are
unlikely to be detected in normal operation. The need for techniques to
verify the correctness of such protocols is great, and we encourage those
interested in such problems to consider this area.'' Why do you think your
design will be better than one that has been scrutinized for more than 15
years?
Some of the trouble in this latest breach is due to weaknesses in the RC4
cipher algorithm. No one who works in cryptography was surprised by this
report; it's been showing cracks since at least 1997. What's new is that
someone has managed to turn the weaknesses into a real exploit, albeit one
that needs at least 224 and preferably 230 encryptions of the same plaintext
to work. (By the way, this is why cryptographers are so concerned about
minor weaknesses: as Bruce Schneier is fond of noting, attacks always get
better, they never get worse.) Besides, ciphers are even harder to get
right than protocols are. <http://www.schneier.com/>
The real reason not to worry, though, is that unless you're being targeted
by a major intelligence agency, this sort of cryptanalytic attack is *very*
far down on the risk scale. Virtually all attackers will look for unpatched
holes, injection or cross-site scripting attacks, people who will fall for
spear-phishing attacks, etc., long before they'll try something like this.
The common attacks are a lot easier to launch; besides, the attackers
understand them and know how to use them.
In the long run, RC4 has to be phased out. I certainly wouldn't start any
new designs that depended on RC4's characteristics or performance, but there
are plenty of other algorithm possibilities today. Vendors do need to ship
web browsers and servers that support newer versions of SSL (formally known
as TLS); weaknesses at the protocol level can't always be fixed by patching
code. For now, though, stay up to date with your patches and software, and
practice good security hygiene. (And if you are being targeted by a major
intelligence agency, you should talk to a major counterintelligence agency,
not me!)
Posted in Tech@FTC <http://techatftc.wordpress.com/category/techftc/>
------------------------------
Date: Sat, 23 Mar 2013 10:30:41 +0800
From: jid...@jidanni.org
Subject: Microwave oven interference robustness mode
The IEEE 802.11 committee that developed the Wi-Fi specification
conducted an extensive investigation into the interference potential
of microwave ovens. A typical microwave oven uses a self-oscillating
vacuum power tube called a magnetron and a high voltage power supply
with a half wave rectifier (often with voltage doubling) and no DC
filtering. This produces an RF pulse train with a duty cycle below 50%
as the tube is completely off for half of every AC mains cycle: 8.33
ms in 60 Hz countries and 10 ms in 50 Hz countries.
This property gave rise to a Wi-Fi "microwave oven interference
robustness" mode that segments larger data frames into fragments each
small enough to fit into the oven's "off" periods.
http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven
------------------------------
Date: Mon, 25 Mar 2013 12:12:24 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Saudi Arabia 'threatens Skype ban'
http://j.mp/16TWb2V (BBC via NNSquad)
"Encrypted messaging services such as Skype, Viber and WhatsApp could be
blocked in Saudi Arabia, the telecommunications regulator there is
reported to have warned. It is demanding a means to monitor such
applications, but Saudis say that would seriously inhibit their
communications. Saudi newspapers are reporting that the companies behind
the applications have been given a week to respond."
------------------------------
Date: Tue, 26 Mar 2013 22:27:27 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: FBI wants real-time access to ... well ... pretty much everything
"FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013"
http://j.mp/11Kqi9d (Slate via NNSquad)
"Despite the pervasiveness of law enforcement surveillance of digital
communication, the FBI still has a difficult time monitoring Gmail, Google
Voice, and Dropbox in real time. But that may change soon, because the
bureau says it has made gaining more powers to wiretap all forms of
Internet conversation and cloud storage a "top priority" this year."
Actually, what they want is real-time access to pretty much everything from
everyone. If they could force hardware manufacturers to install keyloggers,
screengrabbers, and audio/video siphons into every piece of telecom gear
manufactured, they would. And at some point, they'll probably try. Could
they catch more bad guys that way? Yeah. But they also could solve more
crimes by installing government cameras and microphones in everyone's homes
and businesses. At some point -- like now -- we simply have to say that
civil liberties trump.
------------------------------
Date: Mon, 25 Mar 2013 21:11:43 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects
"Police are searching for suspects' photos on Instagram and Facebook, then
running them through the NYPD's new Facial Recognition Unit to put a face
to a name, DNAinfo New York has learned. Detectives are now breaking
cases across the city thanks to the futuristic technology that marries mug
shots of known criminals with pictures gleaned from social media,
surveillance cameras and anywhere else cops can find images."
http://j.mp/XCVDrd (DNAinfo.com via NNSquad)
Remember what I say, again and again: "Public Is Public!"
------------------------------
Date: Mon, 25 Mar 2013 00:31:06 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Big Data and a Renewed Debate Over Privacy (Steve Lohr)
Big Data Is Opening Doors, but Maybe Too Many
Steve Lohr, *The New York Times*, 23 Mar 2013
In the 1960s, mainframe computers posed a significant technological
challenge to common notions of privacy. That's when the federal government
started putting tax returns into those giant machines, and consumer credit
bureaus began building databases containing the personal financial
information of millions of Americans. Many people feared that the new
computerized databanks would be put in the service of an intrusive corporate
or government Big Brother.
"It really freaked people out," says Daniel J. Weitzner, a former senior
Internet policy official in the Obama administration. "The people who cared
about privacy were every bit as worried as we are now."
Along with fueling privacy concerns, of course, the mainframes helped prompt
the growth and innovation that we have come to associate with the computer
age. Today, many experts predict that the next wave will be driven by
technologies that fly under the banner of Big Data - data including Web
pages, browsing habits, sensor signals, smartphone location trails and
genomic information, combined with clever software to make sense of it all.
Proponents of this new technology say it is allowing us to see and measure
things as never before - much as the microscope allowed scientists to
examine the mysteries of life at the cellular level. Big Data, they say,
will open the door to making smarter decisions in every field from business
and biology to public health and energy conservation.
"This data is a new asset," says Alex Pentland, a computational social
scientist and director of the Human Dynamics Lab at the M.I.T. "You want it
to be liquid and to be used."
But the latest leaps in data collection are raising new concern about
infringements on privacy - an issue so crucial that it could trump all
others and upset the Big Data bandwagon. Dr. Pentland is a champion of the
Big Data vision and believes the future will be a data-driven society. Yet
the surveillance possibilities of the technology, he acknowledges, could
leave George Orwell in the dust. ...
http://www.nytimes.com/2013/03/24/technology/big-data-and-a-renewed-debate-over-privacy.html
------------------------------
Date: Mon, 25 Mar 2013 00:34:11 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Database Is Shut Down by NASA for a Review (Mark Mazzetti)
Mark Mazzetti, *The New York Times*, 22 Mar 2013
WASHINGTON - NASA has shut down a large public database and is limiting
access to agency facilities by foreign citizens as part of a broader
investigation into efforts by China and other countries to get information
about important technology.
NASA announced the security procedures this week, after the F.B.I. arrested
a Chinese citizen at Dulles International Airport in Virginia who had
boarded a plane to Beijing.
The man, Bo Jiang, had been working as a contractor at NASA's Langley
Research Center in southern Virginia. According to an affidavit filed on
Monday, Mr. Jiang is being charged with making false statements to federal
agents - failing to disclose that he was carrying a laptop, hard drive and
SIM card that were discovered after a search of his belongings. ...
http://www.nytimes.com/2013/03/23/us/nasa-shuts-down-database-during-security-inquiry.html
------------------------------
Date: Mon, 25 Mar 2013 10:36:11 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "12 hard truths about cloud computing" (Peter Wayner)
Peter Wayner, InfoWorld,
Performance, security, cost -- here's what to really expect from the cloud
http://www.infoworld.com/d/cloud-computing/12-hard-truths-about-cloud-computing-214920
------------------------------
Date: Thu, 28 Mar 2013 10:43:30 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "One in six Amazon S3 storage buckets are ripe for data-plundering"
(Ted Samson)
Ted Samson, InfoWorld, 27 Mar 2013
Researchers discover nearly 2,000 Amazon Simple Storage Service
buckets containing freely accessible sensitive data
http://www.infoworld.com/t/cloud-security/one-in-six-amazon-s3-storage-buckets-are-ripe-data-plundering-215349
------------------------------
Date: Tue, 26 Mar 2013 18:11:04 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Some digital cameras easily turned into spying devices
http://j.mp/XaU20U (Net-Security [+video] via NNSquad)
"Newer cameras increasingly sport built-in Wi-Fi capabilities or allow
users to add SD cards to achieve them in order to be able to upload and
share photos and videos as soon as they take them. But, as proven by
Daniel Mende and Pascal Turbing, security researchers with German-based IT
consulting firm ERNW, these capabilities also have security flaws that can
be easily exploited for turning these cameras into spying devices. Mende
and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit
each of the four ways it can communicate with a network. Not only have
they been able to hijack the information sent from the camera, but have
also managed to gain complete control of it."
------------------------------
Date: Wed, 27 Mar 2013 10:55:50 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google offers *offline* language translation support for Android
http://j.mp/Zq5Gzg (Google Translate Blog via NNSquad)
Have you ever found yourself in a foreign country, wishing you knew how to
say "I'm lost!" or "I'm allergic to peanuts"? The Internet and services
like Google Translate can help-but what if you don't have a connection?
Today we're launching offline language packages for Google Translate on
Android (2.3 and above) with support for fifty languages, from French and
Spanish to Chinese and Arabic.
Seriously useful and cool.
------------------------------
Date: Mon, 25 Mar 2013 22:37:34 -0400
From: Phil Nasadowski <pnasa...@pcsintegrators.com>
Subject: Risks of using other people's libraries
We recently ran into a situation where I work, where a vendor's (a large,
well-known, multinational company with a two letter abbreviation for it's
name) piece of software was not fully compatible with Windows 7, 64bit. In
particular, a portion of the UI that's very, very useful for looking at
variables, is broken.
Being that the software in question was a development package for their
programmable logic controllers, and the widespread use of Windows 7 / 64 bit
in our office, a call to the vendor was in order.
The vendor replied that they were *not* going to update the package for 64
bit operating systems and there was *no* workaround.
A bit of pressing and a few nasty emails later, we got the full story:
Apparently the software uses a library developed by an outside firm. That
firm went bankrupt and is no longer in business. There is no copy of the
source code to the library. The library is not 64 bit compatible. Thus,
the vendor is forced to rewrite a portion of his software in house. Or seek
another library. Or something.
We are stuck with a piece of broken software for the mean time. They say
maybe 6 months to a year to fix it. I doubt we're alone.
I'm sure this isn't the first time this has happened. I'm sure it won't be
the last. It's a risk of relying on someone else's library to do something.
If they go away, you may be stuck with incompatible software. And your
customers won't be happy about it.
Philip Nasadowski, Project Engineer, PCS Integrators
------------------------------
Date: Mon, 25 Mar 2013 00:19:47 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: 25,000 could be affected by data breach at Salem State University
http://www.newburyportnews.com/local/x1533629801/25-000-could-be-affected-by-data-breach-at-SSU
http://bostonglobe.com/metro/2013/03/15/virus-accesses-salem-state-university-database-containing-personal-information-for-thousands/S7AJvP1k7Zb7lLzSqhm7pN/story.html?s_campaign=8315
------------------------------
Date: Mon, 25 Mar 2013 09:51:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Twitter-shaming can cost you your job" (Ted Samson)
Ah, the wonders/blunders of modern communication.
Ted Samson, InfoWorld, 21 Mar 2013
Complaint on Twitter about overheard off-color jokes ends up costing
two techies their jobs
http://www.infoworld.com/t/technology-business/twitter-shaming-can-cost-you-your-job-214956
------------------------------
Date: Mon, 25 Mar 2013 10:00:24 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Cisco inadvertently weakens password encryption in IOS
(Lucian Constantin)
Lucian Constantin, IDG News Service, InfoWorld, 20 Mar 2013
http://www.infoworld.com/d/security/cisco-inadvertently-weakens-password-encryption-in-its-ios-operating-system-214907
Cisco inadvertently weakens password encryption in its IOS operating system
The password encryption scheme used in newer Cisco IOS versions is weak,
researchers find.
------------------------------
Date: Fri, 29 Mar 2013 19:39:17 +0800
From: jid...@jidanni.org
Subject: Password must contain multiple character classes...
I have just encountered the most clodsworthy...
Lost Password Login
https://savannah.gnu.org/
Welcome, jidanni. You may now change your password.
New password / passphrase:
(not too short, must contain multiple character classes: symbols, digits
(0-9), upper and lower case letters) (for instance: Stigma5Brass3Status)
New Password (repeat):
1. Why am I here? Because I always forget my password.
2. Why do I always forget my password? Because I am not allowed to use
my much better password, but have to conform to some expert person's
concept of what is a good password.
------------------------------
Date: Tue, 26 Mar 2013 10:37:42 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Microsoft Employee Info Being Hacked Through Xbox Live"
Chris Paoli, 20 Mar 2013
And one security expert unravels the tangled web of related attacks.
http://redmondmag.com/articles/2013/03/20/xbox-live-hack.aspx
------------------------------
Date: Wed, 27 Mar 2013 09:42:00 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Updated Windows 8 apps not in sync with Google Calendar"
(Woody Leonhard)
Users caught in the middle:
Woody Leonhard, InfoWorld, 26 Mar 2013
http://www.infoworld.com/t/microsoft-windows/updated-windows-8-apps-not-in-sync-google-calendar-215225
Updated Windows 8 apps not in sync with Google Calendar
Microsoft's new version of the Metro 'productivity' apps Mail, Calendar,
and People refuses to sync with Google Calendar
But it is not just Microsoft:
"After you upgrade Mail, Calendar, and People (they all come together), the
first time the Metro apps try to sync with a Google Calendar, you see this
message:
Reconnect this account / We can't connect to blah...@gmail.com because
Google no longer supports ActiveSync. Reconnect to get your email and
contacts using a different method. Cancel to save your email drafts and
reconnect later."
------------------------------
Date: Sun, 24 Mar 2013 12:29:57 -0500 (CDT)
From: security curmudgeon <jer...@attrition.org>
Subject: Re: Small furry animals ... (Re: Ishikawa, RISKS-27.22)
[Ishikawa notes only] the tip of the iceberg. While doing research for a
presentation, I focused only on squirrel-related outages of both power and
communications. The presentation is available here:
http://attrition.org/security/conferences/2012-BruCON-CyberWar-v18-FINAL03.pptx
If you start at slide 33 and click through to slide 39, you will not only
see my attempt at a humorous assertion that squirrels are a bigger threat
than 'cyberwar', but in the notes below each side is extensive details of
other incidents caused by squirrels. In some cases, I had to resort to (now
shared) Google spreadsheets because there were so many incidents.
In particular, look at the notes for Slide 34 which has one fascinating
statistic:
Squirrels caused 177 power outages in Lincoln, Nebraska, in 1980, which
was 24% of all outages. Estimated annual costs were $23,364 for repairs,
public relations, and lost revenue. In Omaha, in 1985, squirrels caused
332 outages costing at least $47,144. After squirrel guards were installed
over pole-mounted transformers in Lincoln in 1985, annual costs were
reduced 78% to $5,148.
Another article tells us:
In Georgia, squirrel-related outages more than tripled from 5,273 in 2005
to 16,750 in 2006. [..] Georgia Power officials estimate the rodents cost
them $2 million last year. [..] It appears that the problem may in part be
due to acorns. [..] PECO, which powers Philadelphia and its surrounding
counties, spends $1 million a year on squirrel guards to stop outages from
"those rascally little varmints," Engel said.
Another reference in the presentation also gives us this:
http://blog.level3.com/2011/08/04/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/
According to Level 3 Communications, Squirrel chews account for a whopping
17% of our damages so far this year! (2011)
So, while a rat has the distinction of going after a nuclear power plant,
that little critter is just the latest in a painfully long history of such
incidents.
[In addition to the SRI item that Ishikawa noted, I have probably
previously noted in RISKS that SRI International has experienced at least
5 squirrelcides that brought down the entire institute's power -- despite
our having created a co-generation plant in response to the first few. In
http://www.csl.sri.com/neumann/illustrativerisks.html, search for
"squirrel" gives those and others:
* Squirrel arcs power, downs computers in Providence RI
* SRI attacked by kamikaze squirrel who downs uninterruptible power
* 4th SRI squirrelcide causes 8-hour outage, surges, system rebuild
* 5th SRI squirrelcide causes 18.5-hour institute outage
* Another squirrelcide: San Jose Airport power cut
* Squirrel attack brings down Walla Walla
* Squirrel knocked out Trumbull Connecticut infrastructure computer center
PGN]
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 27.23
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.23.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
IRS: Tax glitch affects about 660K returns (Heather Hollingsworth via
Monty Solomon)
Panama Canal Railway hit after upgrade (Bob Heuman)
Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth via
Monty Solomon)
More on Spamhaus et al. (sender anonymized by request)
More cyberscares from our governments (Lauren Weinstein)
SSL, RC4, and Site Administrators (Steve Bellovin)
Microwave oven interference robustness mode (jidanni)
Saudi Arabia 'threatens Skype ban' (Lauren Weinstein)
FBI wants real-time access to ... well ... pretty much everything (LW)
NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects (LW)
Big Data and a Renewed Debate Over Privacy (Steve Lohr via Monty Solomon)
Database Is Shut Down by NASA for a Review (Mark Mazzetti via Monty Solomon)
"12 hard truths about cloud computing" (Peter Wayner via Gene Wirchenko)
"One in six Amazon S3 storage buckets are ripe for data-plundering"
(Ted Samson via Gene Wirchenko)
Some digital cameras easily turned into spying devices (Lauren Weinstein)
Google offers *offline* language translation support for Android (LW)
Risks of using other people's libraries (Phil Nasadowski)
25,000 could be affected by data breach at Salem State University
(Monty Solomon)
"Twitter-shaming can cost you your job" (Ted Samson via Gene Wirchenko)
"Cisco inadvertently weakens password encryption in IOS (Lucian Constantin
via Gene Wirchenko)
Password must contain multiple character classes... (jidanni)
"Microsoft Employee Info Being Hacked Through Xbox Live" (Chris Paoli via
Gene Wirchenko)
"Updated Windows 8 apps not in sync with Google Calendar" (Woody Leonhard
via Gene Wirchenko)
Re: Small furry animals ... (jericho)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 25 Mar 2013 01:03:46 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: IRS: Tax glitch affects about 660K returns (Heather Hollingsworth)
Heather Hollingsworth, AP, 13 Mar 2013
KANSAS CITY, Mo. (AP) - A tax-preparation glitch affecting about 660,000 tax
returns will delay refunds by as long as six weeks, with customers of the
nation's largest tax preparer among those affected.
The Internal Revenue Service said in a statement that a problem with a
''limited number of software company products'' affected some taxpayers
filing a form used to claim educational credits between 14 and 22 Feb 2013.
The agency didn't name any companies in the statement, which it released
Tuesday, but Kansas City-based H&R Block has been informing customers about
problems. H&R Block spokesman Gene King said Wednesday that the company
isn't saying how many of its customers were affected by the problems with
Form 8863. ...
http://www.boston.com/news/education/2013/03/13/irs-tax-glitch-affects-about-returns/2RStz826IfaP2YS5fFILsK/story.html
------------------------------
Date: Sat, 23 Mar 2013 19:38:20 -0400
From: Bob Heuman <robert...@alumni.monmouth.edu>
Subject: Panama Canal Railway hit after upgrade
Reuters, 22 Mar 2013
http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323
Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday. The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway. But a computer upgrade on 20 Mar 2013 by Panama
Ports Co (which manages two of those ports) caused severe lags, Kenna said.
Since then, the railway has moved only about 350 containers a day. Traffic
picked up on Friday, and the system should be operating normally by Monday,
Kenna added.
------------------------------
Date: Wed, 27 Mar 2013 14:01:57 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth)
John Markoff and Nicole Perlroth, *The New York Times*, 26 Mar 2013
Firm Is Accused of Sending Spam, and Fight Jams Internet
A squabble between a group fighting spam and a Dutch company that hosts Web
sites said to be sending spam has escalated into one of the largest computer
attacks on the Internet, causing widespread congestion and jamming crucial
infrastructure around the world.
Millions of ordinary Internet users have experienced delays in services like
Netflix or could not reach a particular Web site for a short time.
However, for the Internet engineers who run the global network the problem
is more worrisome. The attacks are becoming increasingly powerful, and
computer security experts worry that if they continue to escalate people may
not be able to reach basic Internet services, like e-mail and online
banking.
The dispute started when the spam-fighting group, called Spamhaus, added the
Dutch company Cyberbunker to its blacklist, which is used by e-mail
providers to weed out spam. Cyberbunker, named for its headquarters, a
five-story former NATO bunker, offers hosting services to any Web site
"except child porn and anything related to terrorism," according to its Web
site.
A spokesman for Spamhaus, which is based in Europe, said the attacks began
on March 19, but had not stopped the group from distributing its blacklist.
Patrick Gilmore, chief architect at Akamai Networks, a digital content
provider, said Spamhaus's role was to generate a list of Internet spammers.
Of Cyberbunker, he added: "These guys are just mad. To be frank, they got
caught. They think they should be allowed to spam." ...
http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html
------------------------------
Date: Wed, 27 Mar 2013 09:48:41 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: More on Spamhaus et al. (Another sender, anonymized by request)
[I don't like sending out anonymized messages, but it appears that many
legit users are simply terrified of upsetting Spamhaus. Via NNSquad.
Lauren]
Date: Wed, 27 Mar 2013 NN:09:11 -NNNN
From: []
Subject: More on Spamhaus et al. [Another sender anonymized by request]
On 27 Mar, [] wrote:
Spamhaus has selected some of my IP addresses now and then for lock down
as well -- even though they never demonstrated any proof of any sort that
there was any good reason. Indeed there was none. Then I found out that
they false positive list about 90,000 IPs a day -- according to them. And
I found out what it takes to get removed -- which is excessive for the
fact that they are acting without basis and from a location where class
action suits are not going to work. They won't even reveal their real
names.
In any case, vigilante injustice is not what the Internet needs.
------------------------------
Date: Thu, 28 Mar 2013 19:38:03 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: More cyberscares from our governments
"Cyberattacks Seem Meant to Destroy, Not Just Disrupt"
http://j.mp/10eldVl (New York Times)
Mr. Obama's goal was to erode the business community's intense opposition
to federal legislation that would give the government oversight of how
companies protect "critical infrastructure," like banking systems and
energy and cellphone networks. That opposition killed a bill last year,
prompting Mr. Obama to sign an executive order promoting increased
information-sharing with businesses. "But I think we heard a new tone at
this latest meeting," an Obama aide said later. "Six months of unrelenting
attacks have changed some views."
In a word regarding this entire article: bull. My bet is that most of this
stuff is coming from the functional equivalent of pimple-faced kids in their
parents' basements in Cleveland. Hell, sad to say, I wouldn't be all that
surprised if our own governments are behind many of the attacks on our own
companies. This is all about our own governments wanting to scare the hell
out of us so that we'll let them and their cyberscare-industrial complex
buddies get more and more powerful, richer and richer, and won't complain as
they tap our networks just like they've wanted to do pretty much all along.
And we're falling for it, boys and girls.
------------------------------
Date: Fri, Mar 29, 2013 at 3:38 PM
From: Federal Trade Commission <subs...@subscribe.ftc.gov>
Subject: SSL, RC4, and Site Administrators
[image: Tech@FTC Banner] <http://techatftc.wordpress.com/>
Steve Bellovin
SSL, RC4, and Site Administrators
<http://techatftc.wordpress.com/2013/03/29/ssl-rc4-and-site-administrators/>
There's been yet another report of security problems with SSL.
<http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/>
If you run a website or mail server, you may be wondering what to do about
it. For now, the answer is simple: nothing -- and don't worry about it.
First of all, at the moment there's nothing to do. You can't invent your
own cryptographic protocol; no one else would have a compatible browser.
Besides, they're notoriously hard to get right. In the very first paper on
the topic, Roger Needham and Michael Schroeder wrote ``Finally, protocols
such as those developed here are prone to extremely subtle errors that are
unlikely to be detected in normal operation. The need for techniques to
verify the correctness of such protocols is great, and we encourage those
interested in such problems to consider this area.'' Why do you think your
design will be better than one that has been scrutinized for more than 15
years?
Some of the trouble in this latest breach is due to weaknesses in the RC4
cipher algorithm. No one who works in cryptography was surprised by this
report; it's been showing cracks since at least 1997. What's new is that
someone has managed to turn the weaknesses into a real exploit, albeit one
that needs at least 224 and preferably 230 encryptions of the same plaintext
to work. (By the way, this is why cryptographers are so concerned about
minor weaknesses: as Bruce Schneier is fond of noting, attacks always get
better, they never get worse.) Besides, ciphers are even harder to get
right than protocols are. <http://www.schneier.com/>
The real reason not to worry, though, is that unless you're being targeted
by a major intelligence agency, this sort of cryptanalytic attack is *very*
far down on the risk scale. Virtually all attackers will look for unpatched
holes, injection or cross-site scripting attacks, people who will fall for
spear-phishing attacks, etc., long before they'll try something like this.
The common attacks are a lot easier to launch; besides, the attackers
understand them and know how to use them.
In the long run, RC4 has to be phased out. I certainly wouldn't start any
new designs that depended on RC4's characteristics or performance, but there
are plenty of other algorithm possibilities today. Vendors do need to ship
web browsers and servers that support newer versions of SSL (formally known
as TLS); weaknesses at the protocol level can't always be fixed by patching
code. For now, though, stay up to date with your patches and software, and
practice good security hygiene. (And if you are being targeted by a major
intelligence agency, you should talk to a major counterintelligence agency,
not me!)
Posted in Tech@FTC <http://techatftc.wordpress.com/category/techftc/>
------------------------------
Date: Sat, 23 Mar 2013 10:30:41 +0800
From: jid...@jidanni.org
Subject: Microwave oven interference robustness mode
The IEEE 802.11 committee that developed the Wi-Fi specification
conducted an extensive investigation into the interference potential
of microwave ovens. A typical microwave oven uses a self-oscillating
vacuum power tube called a magnetron and a high voltage power supply
with a half wave rectifier (often with voltage doubling) and no DC
filtering. This produces an RF pulse train with a duty cycle below 50%
as the tube is completely off for half of every AC mains cycle: 8.33
ms in 60 Hz countries and 10 ms in 50 Hz countries.
This property gave rise to a Wi-Fi "microwave oven interference
robustness" mode that segments larger data frames into fragments each
small enough to fit into the oven's "off" periods.
http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven
------------------------------
Date: Mon, 25 Mar 2013 12:12:24 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Saudi Arabia 'threatens Skype ban'
http://j.mp/16TWb2V (BBC via NNSquad)
"Encrypted messaging services such as Skype, Viber and WhatsApp could be
blocked in Saudi Arabia, the telecommunications regulator there is
reported to have warned. It is demanding a means to monitor such
applications, but Saudis say that would seriously inhibit their
communications. Saudi newspapers are reporting that the companies behind
the applications have been given a week to respond."
------------------------------
Date: Tue, 26 Mar 2013 22:27:27 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: FBI wants real-time access to ... well ... pretty much everything
"FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013"
http://j.mp/11Kqi9d (Slate via NNSquad)
"Despite the pervasiveness of law enforcement surveillance of digital
communication, the FBI still has a difficult time monitoring Gmail, Google
Voice, and Dropbox in real time. But that may change soon, because the
bureau says it has made gaining more powers to wiretap all forms of
Internet conversation and cloud storage a "top priority" this year."
Actually, what they want is real-time access to pretty much everything from
everyone. If they could force hardware manufacturers to install keyloggers,
screengrabbers, and audio/video siphons into every piece of telecom gear
manufactured, they would. And at some point, they'll probably try. Could
they catch more bad guys that way? Yeah. But they also could solve more
crimes by installing government cameras and microphones in everyone's homes
and businesses. At some point -- like now -- we simply have to say that
civil liberties trump.
------------------------------
Date: Mon, 25 Mar 2013 21:11:43 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects
"Police are searching for suspects' photos on Instagram and Facebook, then
running them through the NYPD's new Facial Recognition Unit to put a face
to a name, DNAinfo New York has learned. Detectives are now breaking
cases across the city thanks to the futuristic technology that marries mug
shots of known criminals with pictures gleaned from social media,
surveillance cameras and anywhere else cops can find images."
http://j.mp/XCVDrd (DNAinfo.com via NNSquad)
Remember what I say, again and again: "Public Is Public!"
------------------------------
Date: Mon, 25 Mar 2013 00:31:06 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Big Data and a Renewed Debate Over Privacy (Steve Lohr)
Big Data Is Opening Doors, but Maybe Too Many
Steve Lohr, *The New York Times*, 23 Mar 2013
In the 1960s, mainframe computers posed a significant technological
challenge to common notions of privacy. That's when the federal government
started putting tax returns into those giant machines, and consumer credit
bureaus began building databases containing the personal financial
information of millions of Americans. Many people feared that the new
computerized databanks would be put in the service of an intrusive corporate
or government Big Brother.
"It really freaked people out," says Daniel J. Weitzner, a former senior
Internet policy official in the Obama administration. "The people who cared
about privacy were every bit as worried as we are now."
Along with fueling privacy concerns, of course, the mainframes helped prompt
the growth and innovation that we have come to associate with the computer
age. Today, many experts predict that the next wave will be driven by
technologies that fly under the banner of Big Data - data including Web
pages, browsing habits, sensor signals, smartphone location trails and
genomic information, combined with clever software to make sense of it all.
Proponents of this new technology say it is allowing us to see and measure
things as never before - much as the microscope allowed scientists to
examine the mysteries of life at the cellular level. Big Data, they say,
will open the door to making smarter decisions in every field from business
and biology to public health and energy conservation.
"This data is a new asset," says Alex Pentland, a computational social
scientist and director of the Human Dynamics Lab at the M.I.T. "You want it
to be liquid and to be used."
But the latest leaps in data collection are raising new concern about
infringements on privacy - an issue so crucial that it could trump all
others and upset the Big Data bandwagon. Dr. Pentland is a champion of the
Big Data vision and believes the future will be a data-driven society. Yet
the surveillance possibilities of the technology, he acknowledges, could
leave George Orwell in the dust. ...
http://www.nytimes.com/2013/03/24/technology/big-data-and-a-renewed-debate-over-privacy.html
------------------------------
Date: Mon, 25 Mar 2013 00:34:11 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Database Is Shut Down by NASA for a Review (Mark Mazzetti)
Mark Mazzetti, *The New York Times*, 22 Mar 2013
WASHINGTON - NASA has shut down a large public database and is limiting
access to agency facilities by foreign citizens as part of a broader
investigation into efforts by China and other countries to get information
about important technology.
NASA announced the security procedures this week, after the F.B.I. arrested
a Chinese citizen at Dulles International Airport in Virginia who had
boarded a plane to Beijing.
The man, Bo Jiang, had been working as a contractor at NASA's Langley
Research Center in southern Virginia. According to an affidavit filed on
Monday, Mr. Jiang is being charged with making false statements to federal
agents - failing to disclose that he was carrying a laptop, hard drive and
SIM card that were discovered after a search of his belongings. ...
http://www.nytimes.com/2013/03/23/us/nasa-shuts-down-database-during-security-inquiry.html
------------------------------
Date: Mon, 25 Mar 2013 10:36:11 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "12 hard truths about cloud computing" (Peter Wayner)
Peter Wayner, InfoWorld,
Performance, security, cost -- here's what to really expect from the cloud
http://www.infoworld.com/d/cloud-computing/12-hard-truths-about-cloud-computing-214920
------------------------------
Date: Thu, 28 Mar 2013 10:43:30 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "One in six Amazon S3 storage buckets are ripe for data-plundering"
(Ted Samson)
Ted Samson, InfoWorld, 27 Mar 2013
Researchers discover nearly 2,000 Amazon Simple Storage Service
buckets containing freely accessible sensitive data
http://www.infoworld.com/t/cloud-security/one-in-six-amazon-s3-storage-buckets-are-ripe-data-plundering-215349
------------------------------
Date: Tue, 26 Mar 2013 18:11:04 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Some digital cameras easily turned into spying devices
http://j.mp/XaU20U (Net-Security [+video] via NNSquad)
"Newer cameras increasingly sport built-in Wi-Fi capabilities or allow
users to add SD cards to achieve them in order to be able to upload and
share photos and videos as soon as they take them. But, as proven by
Daniel Mende and Pascal Turbing, security researchers with German-based IT
consulting firm ERNW, these capabilities also have security flaws that can
be easily exploited for turning these cameras into spying devices. Mende
and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit
each of the four ways it can communicate with a network. Not only have
they been able to hijack the information sent from the camera, but have
also managed to gain complete control of it."
------------------------------
Date: Wed, 27 Mar 2013 10:55:50 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google offers *offline* language translation support for Android
http://j.mp/Zq5Gzg (Google Translate Blog via NNSquad)
Have you ever found yourself in a foreign country, wishing you knew how to
say "I'm lost!" or "I'm allergic to peanuts"? The Internet and services
like Google Translate can help-but what if you don't have a connection?
Today we're launching offline language packages for Google Translate on
Android (2.3 and above) with support for fifty languages, from French and
Spanish to Chinese and Arabic.
Seriously useful and cool.
------------------------------
Date: Mon, 25 Mar 2013 22:37:34 -0400
From: Phil Nasadowski <pnasa...@pcsintegrators.com>
Subject: Risks of using other people's libraries
We recently ran into a situation where I work, where a vendor's (a large,
well-known, multinational company with a two letter abbreviation for it's
name) piece of software was not fully compatible with Windows 7, 64bit. In
particular, a portion of the UI that's very, very useful for looking at
variables, is broken.
Being that the software in question was a development package for their
programmable logic controllers, and the widespread use of Windows 7 / 64 bit
in our office, a call to the vendor was in order.
The vendor replied that they were *not* going to update the package for 64
bit operating systems and there was *no* workaround.
A bit of pressing and a few nasty emails later, we got the full story:
Apparently the software uses a library developed by an outside firm. That
firm went bankrupt and is no longer in business. There is no copy of the
source code to the library. The library is not 64 bit compatible. Thus,
the vendor is forced to rewrite a portion of his software in house. Or seek
another library. Or something.
We are stuck with a piece of broken software for the mean time. They say
maybe 6 months to a year to fix it. I doubt we're alone.
I'm sure this isn't the first time this has happened. I'm sure it won't be
the last. It's a risk of relying on someone else's library to do something.
If they go away, you may be stuck with incompatible software. And your
customers won't be happy about it.
Philip Nasadowski, Project Engineer, PCS Integrators
------------------------------
Date: Mon, 25 Mar 2013 00:19:47 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: 25,000 could be affected by data breach at Salem State University
http://www.newburyportnews.com/local/x1533629801/25-000-could-be-affected-by-data-breach-at-SSU
http://bostonglobe.com/metro/2013/03/15/virus-accesses-salem-state-university-database-containing-personal-information-for-thousands/S7AJvP1k7Zb7lLzSqhm7pN/story.html?s_campaign=8315
------------------------------
Date: Mon, 25 Mar 2013 09:51:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Twitter-shaming can cost you your job" (Ted Samson)
Ah, the wonders/blunders of modern communication.
Ted Samson, InfoWorld, 21 Mar 2013
Complaint on Twitter about overheard off-color jokes ends up costing
two techies their jobs
http://www.infoworld.com/t/technology-business/twitter-shaming-can-cost-you-your-job-214956
------------------------------
Date: Mon, 25 Mar 2013 10:00:24 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Cisco inadvertently weakens password encryption in IOS
(Lucian Constantin)
Lucian Constantin, IDG News Service, InfoWorld, 20 Mar 2013
http://www.infoworld.com/d/security/cisco-inadvertently-weakens-password-encryption-in-its-ios-operating-system-214907
Cisco inadvertently weakens password encryption in its IOS operating system
The password encryption scheme used in newer Cisco IOS versions is weak,
researchers find.
------------------------------
Date: Fri, 29 Mar 2013 19:39:17 +0800
From: jid...@jidanni.org
Subject: Password must contain multiple character classes...
I have just encountered the most clodsworthy...
Lost Password Login
https://savannah.gnu.org/
Welcome, jidanni. You may now change your password.
New password / passphrase:
(not too short, must contain multiple character classes: symbols, digits
(0-9), upper and lower case letters) (for instance: Stigma5Brass3Status)
New Password (repeat):
1. Why am I here? Because I always forget my password.
2. Why do I always forget my password? Because I am not allowed to use
my much better password, but have to conform to some expert person's
concept of what is a good password.
------------------------------
Date: Tue, 26 Mar 2013 10:37:42 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Microsoft Employee Info Being Hacked Through Xbox Live"
Chris Paoli, 20 Mar 2013
And one security expert unravels the tangled web of related attacks.
http://redmondmag.com/articles/2013/03/20/xbox-live-hack.aspx
------------------------------
Date: Wed, 27 Mar 2013 09:42:00 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Updated Windows 8 apps not in sync with Google Calendar"
(Woody Leonhard)
Users caught in the middle:
Woody Leonhard, InfoWorld, 26 Mar 2013
http://www.infoworld.com/t/microsoft-windows/updated-windows-8-apps-not-in-sync-google-calendar-215225
Updated Windows 8 apps not in sync with Google Calendar
Microsoft's new version of the Metro 'productivity' apps Mail, Calendar,
and People refuses to sync with Google Calendar
But it is not just Microsoft:
"After you upgrade Mail, Calendar, and People (they all come together), the
first time the Metro apps try to sync with a Google Calendar, you see this
message:
Reconnect this account / We can't connect to blah...@gmail.com because
Google no longer supports ActiveSync. Reconnect to get your email and
contacts using a different method. Cancel to save your email drafts and
reconnect later."
------------------------------
Date: Sun, 24 Mar 2013 12:29:57 -0500 (CDT)
From: security curmudgeon <jer...@attrition.org>
Subject: Re: Small furry animals ... (Re: Ishikawa, RISKS-27.22)
[Ishikawa notes only] the tip of the iceberg. While doing research for a
presentation, I focused only on squirrel-related outages of both power and
communications. The presentation is available here:
http://attrition.org/security/conferences/2012-BruCON-CyberWar-v18-FINAL03.pptx
If you start at slide 33 and click through to slide 39, you will not only
see my attempt at a humorous assertion that squirrels are a bigger threat
than 'cyberwar', but in the notes below each side is extensive details of
other incidents caused by squirrels. In some cases, I had to resort to (now
shared) Google spreadsheets because there were so many incidents.
In particular, look at the notes for Slide 34 which has one fascinating
statistic:
Squirrels caused 177 power outages in Lincoln, Nebraska, in 1980, which
was 24% of all outages. Estimated annual costs were $23,364 for repairs,
public relations, and lost revenue. In Omaha, in 1985, squirrels caused
332 outages costing at least $47,144. After squirrel guards were installed
over pole-mounted transformers in Lincoln in 1985, annual costs were
reduced 78% to $5,148.
Another article tells us:
In Georgia, squirrel-related outages more than tripled from 5,273 in 2005
to 16,750 in 2006. [..] Georgia Power officials estimate the rodents cost
them $2 million last year. [..] It appears that the problem may in part be
due to acorns. [..] PECO, which powers Philadelphia and its surrounding
counties, spends $1 million a year on squirrel guards to stop outages from
"those rascally little varmints," Engel said.
Another reference in the presentation also gives us this:
http://blog.level3.com/2011/08/04/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/
According to Level 3 Communications, Squirrel chews account for a whopping
17% of our damages so far this year! (2011)
So, while a rat has the distinction of going after a nuclear power plant,
that little critter is just the latest in a painfully long history of such
incidents.
[In addition to the SRI item that Ishikawa noted, I have probably
previously noted in RISKS that SRI International has experienced at least
5 squirrelcides that brought down the entire institute's power -- despite
our having created a co-generation plant in response to the first few. In
http://www.csl.sri.com/neumann/illustrativerisks.html, search for
"squirrel" gives those and others:
* Squirrel arcs power, downs computers in Providence RI
* SRI attacked by kamikaze squirrel who downs uninterruptible power
* 4th SRI squirrelcide causes 8-hour outage, surges, system rebuild
* 5th SRI squirrelcide causes 18.5-hour institute outage
* Another squirrelcide: San Jose Airport power cut
* Squirrel attack brings down Walla Walla
* Squirrel knocked out Trumbull Connecticut infrastructure computer center
PGN]
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 27.23
************************
0 new messages