RISKS-LIST: Risks-Forum Digest Saturday 26 November 2011 Volume 26 : Issue 64
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.64.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
CalPERS computer misfire sparks benefit cancellations (Randall Neff)
Robot prison wardens - with guns? (Peter Houppermans)
"Facebook bans at work linked to increased security breaches"
(Nestor E. Arellano via Gene Wirchenko)
"Hired posters degrading Web's information credibility"
(John P. Mello Jr. via Gene Wirchenko)
Thailand wants Facebook links blocked, warns that pressing "Like" can
lead to prosecution (Lauren Weinstein)
If You Can't Trust Caller ID ... (Matt Richtel)
LaTeX as an example of software engineering best practices? (Mark Thorson,
PGN)
Re: Update: U.S. water plants reportedly hit by cyber attacks
(Alexander Klimov)
Ruined water pump apparently wasn't attacked by hackers after all
(Lauren Weinstein)
Apple iTunes flaw 'allowed government spying for 3 years' (Lauren Weinstein)
More on Duqu/stuxnet link? (PGN)
Missing the point of the Internet (Bob Frankston)
REVIEW: Eric D. Knapp, Industrial Network Security: Securing
Critical Infrastructure Networks for Smart Grid, SCADA, and Other
Industrial Control Systems (Richard Austin)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 26 Nov 2011 08:42:33 -0800
From: Randall Neff <randall.n...@gmail.com>
Subject: CalPERS computer misfire sparks benefit cancellations
Sacramento, Calif. A glitch with CalPERS' (California Pension System) new
half-billion-dollar computer system has delayed death benefit checks to
widowed spouses and incorrectly triggered letters notifying some members
that their health insurance has been canceled.
http://www.mcclatchydc.com/2011/11/23/131256/computer-glitch-in-calif...
------------------------------
Date: Sat, 26 Nov 2011 17:13:05 +0100
From: Peter Houppermans <pe...@houppermans.com>
Subject: Robot prison wardens - with guns?
Robot wardens are about to join the ranks of South Korea's prison service.
http://www.bbc.co.uk/news/technology-15893772
A jail in the eastern city of Pohang plans to run a month-long trial with
three of the automatons in March. The machines will monitor inmates for
abnormal behaviour. Researchers say they will help reduce the workload
for other guards. South Korea aims to be a world leaders in
robotics. Business leaders believe the field has the potential to become a
major export industry.
It actually gets even better:
"The South Korean defence company DoDAAM is also developing robotic gun
turrets for export which can be programmed to open fire automatically."
Oh yeah, you want those turrets on that robot in a prison. New, untried OS,
vendor under competitive pressure, gun with real bullets and a high
likelihood of this thing having some form of remote management. What could
possible go wrong?
PS: good luck recruiting service engineers...
------------------------------
Date: Thu, 24 Nov 2011 10:23:49 -0800
From: Gene Wirchenko <ge...@ocis.net>
Subject: "Facebook bans at work linked to increased security breaches"
(Nestor E. Arellano)
I have submitted news of a number of Facebook security breaches. Now, it
appears that they (whoever that is) have you coming and going. The title
says it:
Facebook bans at work linked to increased security breaches
Companies that ban employees from using social media are 30 per cent more
likely to suffer computer security breaches than firms that are more
lenient on the issue of workers tweeting and checking Facebook posts in
the office, according to recent survey.
Nestor E. Arellano, *IT Business*, 24 Nov 2011
http://www.itbusiness.ca/it/client/en/home/News.asp?id=65068
------------------------------
Date: Fri, 25 Nov 2011 10:53:41 -0800
From: Gene Wirchenko <ge...@ocis.net>
Subject: "Hired posters degrading Web's information credibility"
(John P. Mello Jr.)
http://www.itbusiness.ca/it/client/en/home/News.asp?id=65094
Hired posters degrading Web's information credibility
A new study says paid posters are poisoning the Internet with their
untrustworthy content.
John P. Mello Jr., *IT Business*, 24 Nov 2011
------------------------------
Date: Thu, 24 Nov 2011 12:35:16 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Thailand wants Facebook links blocked, warns that pressing "Like"
can lead to prosecution (NNSquad)
http://j.mp/vZ2fnM (TheNextWeb)
The government of Thailand has contacted Facebook to request the
removal of more than 10,000 of its pages that are deemed in breach of
laws preventing the defamation of the country's royal family.
- - -
http://j.mp/v7FD57 (Bangkok Post)
Local Facebook users risk violating the computer law unknowingly by
pressing the "like" or "share" button included with posted comment on
anti-monarchy messages on the most popular social networking site,
Information and Communication Technology Minister Anudith Nakornthap said
on Thursday. Anyone doing so could be arrested on charges of violating
the Computer Crime Act and committing lese majeste because the law
prohibits the dissemination of content deemed insulting to the monarchy,
he said. Facebook users should not press the ``like'' button or post
comments on lese majeste-related content.
- - -
How about this for a way to prod these Neanderthals into the 21st century?
Cut them off the Net totally until these practices cease. Be sure to read
the part about the 61-year-old man just handed a 20 year prison sentence for
sending SMS messages "insulting" to the royal family.
------------------------------
Date: Wed, 23 Nov 2011 14:14:47 PST
From: "Peter G. Neumann" <neum...@csl.sri.com>
Subject: If You Can't Trust Caller ID ... (Matt Richtel)
Telemarketers increasingly are disguising their real identities and
phone numbers... Caller ID [properly, Calling Number ID] is becoming
Fake ID. New FCC rules have been instituted to combat this practice,
but are apparently very limited in their effectiveness... [Source: Matt
Richtel, *The New York Times* front page, 23 Nov 2011; PGN-ed]
------------------------------
Date: Fri, 25 Nov 2011 10:48:44 -0800
From: Mark Thorson <e...@sonic.net>
Subject: LaTeX as an example of software engineering best practices
You might think that a program written by Donald Knuth and Leslie Lamport
would be an ideal example of good programming, rather than the kind of
encrusted monstrosity we expect from Microsoft. But perhaps it's the way of
all things to end up like that, no matter who wrote it.
http://vallettaventures.tumblr.com/post/13124883568/the-price-of-a-me...
------------------------------
Date: Fri, 25 Nov 2011 19:32:56 PST
From: Peter Neumann <ri...@csl.sri.com>
Subject: Re: LaTeX as an example of software engineering best practices
Mark, TEX is complicated. Don Knuth once told me he never used it, and just
handed raw text (on paper?) to his secretaries to be TEXed.
LaTeX was created by Les Lamport initially primarily for his own use
(reminds you a little of Unix?). He gave it away for free, but his son's
college education was funded from the book sales. But LaTeX significantly
simplified many of the more challenging corners of TEX, and yet it deals
with huge numbers of fonts, IEEE and ACM styles for formatting and
bibliographies and whatever, automated indexing, and miraculously it usually
works once you have figured out how to use it, with copious additional
advice existing on the Web. But it is nontrivial to get it working
seamlessly.
Complex system are intrinsically complex. That's not a surprise. One
question is whether the human interface can be usable. Another question is
whether it is sufficiently well software engineered and modularly
encapsulated to be easily extendable by others. For those reasons, I am
still addicted to LaTeX and emacs. But I don't think I would want to use
them for creating large documents on an iPad.
------------------------------
Date: Thu, 24 Nov 2011 19:39:01 +0200
From: Alexander Klimov <a...@eitan.edu>
Subject: Re: Update: U.S. water plants reportedly hit by cyber attacks
(Lemos, R 26 62)
<http://www.pcmag.com/article2/0,2817,2396835,00.asp>
The Department of Homeland Security and the FBI on Wednesday shot
down reports that a cyber attack recently took down a pump at an
Illinois public water utility.
"After detailed analysis, DHS and the FBI have found no evidence of
a cyber intrusion into the SCADA system of the Curran-Gardner Public
Water District in Springfield, Illinois," a DHS spokesman said in a
statement.
[...] DHS, however, said the reports seen by Weiss "were based on
raw, unconfirmed data and subsequently leaked to the media." After
evaluating the situation, officials found "no evidence ... that any
credentials were stolen, or that the vendor was involved in any
malicious activity that led to a pump failure at the water plant."
"In addition, DHS and FBI have concluded that there was no malicious
traffic from Russia or any foreign entities, as previously
reported," DHS continued. "Analysis of the incident is ongoing and
additional relevant information will be released as it becomes
available."
I guess most people excited by the original report will never see the
rebuttal.
------------------------------
Date: Tue, 22 Nov 2011 18:21:57 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Ruined water pump apparently wasn't attacked by hackers after all
(Re: Lemos, RISKS-26.62)
http://j.mp/vLku0D (Wired)
"A report from an Illinois intelligence fusion center that a water utility
was hacked cannot be substantiated, according to an announcement released
late Tuesday by the Department of Homeland Security. Additionally, the
department disputes assertions in the fusion center report that an
infrastructure-control software vendor was hacked prior to the water
utility intrusion in order to obtain user names and passwords to break
into the utility company and destroy a water pump."
- - -
Some of you may recall I was skeptical of this report early on. While
there's still confusion, I will say again that the "Quick! Blame the evil
hackers and foreign governments testing our defenses!" excuse for local
screw-ups should always be considered as a strong contender in these
situations.
Lauren Weinstein (lau...@vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org
------------------------------
Date: Fri, 25 Nov 2011 12:23:05 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Apple iTunes flaw 'allowed government spying for 3 years'
"A British company called Gamma International marketed hacking software to
governments that exploited the vulnerability via a bogus update to iTunes,
Apple's media player, which is installed on more than 250 million machines
worldwide. The hacking software, FinFisher, is used to spy on
intelligence targets' computers. It is known to be used by British
agencies and earlier this year records were discovered in abandoned
offices of that showed it had been offered to Egypt's feared secret
police." http://j.mp/tglKss (Telegraph)
- - -
I have no additional info about this report yet, one way or another.
------------------------------
Date: Wed, 23 Nov 2011 10:21:14 PST
From: "Peter G. Neumann" <neum...@csl.sri.com>
Subject: More on Duqu/stuxnet link?
http://news.hostexploit.com/cybercrime-news/5022-duqu-from-the-same-p...
------------------------------
Date: Fri, 25 Nov 2011 14:25:36 -0500
From: "Bob Frankston" <bob2...@bobf.frankston.com>
Subject: Missing the point of the Internet (Re: Shapir, RISKS-26.63)
Today's Internet is a work in progress. Indeed the current implementation
lends itself to tracking because the current implementation depends on a
central authority for names and addresses (DNS and IP) and because bits are
tracked in order to support the current telecommunications business model.
The real risk is confusing these artifacts with the larger idea of the
Internet which shows what can done without a central authority or, for now,
despite these central authorities.
As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not
fundamental. This means that the Internet is not easier to control once
there is a funding model that doesn't require controlling the path.
To put it another way -- the reason that the Internet is easy to control is
that we have stakeholders who embrace control and not because such control
is necessary.
-----Original Message-----
From: Amos Shapir [mailto:amos
...@hotmail.com]
Sent: Sunday, November 20, 2011 09:59
Subject: [risks 26.63] Re: The Coming Fascist Internet (Weinstein,
RISKS-26.61)
Comparing the Internet to other rather new technologies shows that prognosis
is not good. Take driving as a case in point: about 20 years after the
invention of the automobile, anyone could drive anything anywhere; now no
one can drive anywhere unless both vehicle and driver are licensed and
registered by some government.
The Internet is even easier to control than roads, as all infrastructure is
supplied by a few big companies, which usually comply with the government.
China seems to be the future.
------------------------------
Date: Thu, 24 Nov 2011 00:23:22 -0700
From: "Cipher Editor" <cipher-edi...@ieee-security.org>
Subject: REVIEW: Eric D. Knapp, Industrial Network Security: Securing
Critical Infrastructure Networks for Smart Grid, SCADA, and Other
Industrial Control Systems (Richard Austin)
EXCERPTED FROM:
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 105 November 22, 2011
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Richard Austin Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
Book Review By Richard Austin
November 18, 2011
Industrial Network Security: Securing Critical Infrastructure Networks
for Smart Grid, SCADA, and Other Industrial Control Systems
Eric D. Knapp
Syngress 2011.
ISBN 978-1-59749-645-2 Amazon.com, U.S. $32.90
Table of Contents:
http://www.elsevierdirect.com/toc.jsp?isbn=9781597496452
Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or
Joel Brenner's "America the Vulnerable", a convincing case has been made
that we, as security professionals, should be concerned about the security
measures (or lack thereof) being applied to the industrial control systems
that manage power generation and distribution as well as many other critical
infrastructure components. At the same time, many of us, like your humble
correspondent, would be forced to admit that our knowledge in this area
doesn't go much further than being able to spell out the acronym "SCADA".
Knapp recognizes this lack and provides a quite readable introduction to
industrial networks and how familiar security principles can be translated
to apply in this complex area.
The first third of the book provides an introduction to industrial networks,
their protocols and how they operate. Peppered throughout the introduction
are sidelights on security incidents and previews of how security measures
may be applied. Acronyms multiply quickly and readers will likely want to
maintain a cheat sheet to avoid having to flip back and forth to find their
meanings (many, but not all, are in the glossary).
The majority of the book is devoted to parsing out what "information
security" really means in the context of industrial networks. Familiar
topics such as "vulnerability and risk management" and "situational
awareness" are placed in context and the unique considerations imposed by an
industrial control network are identified. For example, many of us will
have had the experience of crashing a piece of network equipment when
scanning its management interface to assess its attack surface. What is an
inconvenience in that context may have a much wider impact when the device
is controlling a real-world process.
As you might expect, compliance is a major concern and a very useful chapter
reviews the relevant standards/regulations and provides recommendations for
demonstrating compliance. Knapp also provides a "reverse mapping" that even
identifies the relevant chapter of the book.
The closing chapter's review of why-things-often-go-wrong includes many of
the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and
serves as a final reminder that though industrial networks present many
unique features, they also have much in common with the more familiar areas
of information security.
Whether you are charged with defending an industrial network or curious
about all the "buzz" over SCADA security, Knapp's book will provide a solid
introduction to this fascinating area. Definitely a recommended read.
[Before beginning life as a university instructor and independent
cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2)
spent 30+ years in the IT industry in positions ranging from software
developer to security architect. He welcomes your thoughts and comments
at raustin2 at spsu dot edu .]
------------------------------
Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-requ...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-requ...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscr...@csl.sri.com or risks-unsubscr...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marsh...@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 26.64
************************
