info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 28.68
75 views
Skip to first unread message
RISKS List Owner
Jun 11, 2015, 3:11:28 PM6/11/15
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 11 June 2015 Volume 28 : Issue 68
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.68.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
All U.S. United Flights Grounded Over Mysterious Problem (PGN)
Airbus transport crash caused by "wipe" of critical engine control data
(Ars Technica)
Man dies in Corvette after battery cable becomes loose (Khou via
Mark Thorson)
Traffic Hacking: Caution Light Is On (Nicole Perlroth)
OpenSesame: 10-sec universal garage door opener (Dennis Fisher)
Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
(NYTimes)
After Silences and Setbacks, the LightSail Spacecraft Is Revived (NYT)
Evidence of Healthcare Breaches Lurks On Infected Medical Devices
(Werner U)
New exploit leaves most Macs vulnerable to permanent backdooring
(Dan Goodin)
Breach in a Federal Computer System Exposes Personnel Data (NYTimes)
Chinese Hackers Behind Breach at Insurers Are Also Responsible for
Government Attack (NYTimes)
Single Test for All Virus Exposure Opens Doors for Researchers (NYT)
Kaspersky Lab cybersecurity firm is hacked (BBC)
Consumers Dislike Data-Mining but Feel Helpless to Stop It (NYT)
Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
(Reuters)
"Governments of the World Agree: Encryption Must Die!" (Lauren Weinstein)
Japanese pension organization phished, 1.25M people's data leaked
(chiaki ishikawa)
Twitter Advertisers Can Now Target You Based on the Other Phone Apps
(recode)
Re: "NOBUS can shoot ourselves in the foot like this" (Chris Drewe)
Re: Volvo has an accident, but not the one you thought (Peter Ladkin)
Re: EU wants to kill open Wi-Fi (Peter Ladkin)
Re: You Can Be Prosecuted for Clearing Your Browser History
(Henry Baker)
Re: House of Discards: Wikipedia pre-election edits (Henry Baker)
REVIEW - "The Florentine Deception", Carey Nachenberg (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 11 Jun 2015 11:03:52 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: All U.S. United Flights Grounded Over Mysterious Problem
All United Airlines flights in the US were grounded this morning for nearly
an hour, over `dispatching information'. Various tweets from passengers
suggest different possible explanations: hacked network? fake flight plans?
disgorging random plans? dropped flight plans? Considerable confusion?
The problem was then resolved.
http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/
------------------------------
Date: Wed, 10 Jun 2015 08:44:33 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Report: Airbus transport crash caused by "wipe" of critical engine
control data
http://arstechnica.com/information-technology/2015/06/report-airbus-transport-crash-caused-by-wipe-of-critical-engine-control-data/
------------------------------
Date: Wed, 10 Jun 2015 13:18:17 -0700
From: Mark Thorson <e...@sonic.net>
Subject: Man dies in Corvette after battery cable becomes loose
The doors don't open without battery power. There is a mechanical release,
but it's hidden and many Corvette owners don't know about it. This man may
have died while reading his owner's manual, which adds a new dimension to
the term RTFM.
http://www.khou.com/story/news/local/texas/2015/06/10/texas-man-dog-die-after-being-trapped-in-corvette/70999112/
------------------------------
Date: 11 Jun 2015 09:49:32 -0400
From: "Bob Frankston" <bob19...@bobf.frankston.com>
Subject: Traffic Hacking: Caution Light Is On (Nicole Perlroth)
Today's NYTimes.com
http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0
[The article might be interpreted as implying that so-called `smart'
anythings could all be vulnerable. No surprise to RISKS readers. PGN]
------------------------------
Date: Fri, 05 Jun 2015 14:24:25 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: OpenSesame: 10-sec universal garage door opener
FYI -- It usually takes me longer than 10 seconds to find the right button
to push...
Dennis Fisher, 4 Jun 2015
Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds
https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146
------------------------------
Date: Wed, 10 Jun 2015 09:46:51 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
http://www.nytimes.com/2015/06/11/us/amtrak-crash-engineer-brandon-bostian-not-on-cellphone-ntsb-says.html
------------------------------
Date: Tue, 9 Jun 2015 03:10:31 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: After Silences and Setbacks, the LightSail Spacecraft Is Revived
http://www.nytimes.com/2015/06/08/science/space/lightsail-setbacks-spacecraft-prepares-unfurl-sail.html
LightSail was successfully deployed and worked for two days before its
computer crashed because of a software flaw.
Eight days of silence followed until, as engineers expected, a high-speed
charged particle zipping through space fortuitously scrambled part of the
computer's memory and caused the computer to restart ... and deploy its
solar sail.
------------------------------
Date: Tue, 9 Jun 2015 05:15:48 +0200
From: Werner U <wer...@gmail.com>
Subject: Evidence of Healthcare Breaches Lurks On Infected Medical Devices
[ regarding 8 June 2015 article on The Security Ledger website ]
chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT
http://it.slashdot.org/story/15/06/08/166207/report-evidence-of-healthcare-breaches-lurks-on-infected-medical-devices
*Evidence that serious and widespread breaches of hospital- and healthcare
networks is likely to be hiding on compromised and infect medical devices in
clinical settings
<https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/>,
including medical imaging machines, blood gas analyzers and more, according
to a report by the firm TrapX. In the report, which will be released this
week, the company details incidents of medical devices and management
stations infected with malicious software at three, separate customer
engagements. According to the report, medical devices -- in particular
so-called picture archive and communications systems (PACS) radiologic
imaging systems -- are all but invisible to security monitoring systems
and provide a ready platform for malware infections to lurk on hospital
networks, and for malicious actors to launch attacks on other, high value IT
assets. Malware at a TrapX customer site spread from a unmonitored PACS
system to a key nurse's workstation. The result: confidential hospital data
was secreted off the network to a server hosted in Guiyang, China.
Communications went out encrypted using port 443 (SSL), resulting in the
leak of an unknown number of patient records. "The medical devices
themselves create far broader exposure to the healthcare institutions than
standard information technology assets," the report concludes. One
contributing factor to the breaches: Windows 2000 is the OS of choice for
"many medical devices." The version that TrapX obtained "did not seem to
have been updated or patched in a long time," the company writes.*
------------------------------
Date: Sun, 7 Jun 2015 23:33:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: New exploit leaves most Macs vulnerable to permanent backdooring
(Dan Goodin)
Hack allows firmware to be rewritten right after older Macs awake from sleep.
Dan Goodin, *Ars Technica*. 1 Jun 2015
Macs older than a year are vulnerable to exploits that remotely overwrite
the firmware that boots up the machine, a feat that allows attackers to
control vulnerable devices from the very first instruction.
http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/
------------------------------
Date: Fri, 5 Jun 2015 01:50:53 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Breach in a Federal Computer System Exposes Personnel Data
http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html
The intrusion, which appears to have involved information on about four
million current and former government workers, was the third such breach in
the last year.
------------------------------
Date: Fri, 5 Jun 2015 01:51:46 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Chinese Hackers Behind Breach at Insurers Are Also Responsible for
Government Attack
Researchers say it suggests spies are no longer just stealing American
corporate and military trade secrets, but personal information for some
later purpose.
http://www.nytimes.com/2015/06/05/technology/chinese-hackers-behind-breach-at-insurers-are-also-responsible-for-government-attack-researchers-say.html
[See also
http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html
PGN]
------------------------------
Date: Thu, 4 Jun 2015 20:12:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Single Test for All Virus Exposure Opens Doors for Researchers
http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html
It's like one-stop shopping for scientists: a blood test can now show every
virus that has a crossed a person's path, lending insight into disease.
------------------------------
Date: Wed, 10 Jun 2015 18:46:49 +0000
From: PGN
Subject: Kaspersky Lab cybersecurity firm is hacked (BBC)
BBC, 10 Jun 2015
http://www.bbc.com/news/technology-33083050
"Kaspersky Lab said it believed the attack was designed to spy on its newest
technologies. It said the intrusion involved up to three previously unknown
techniques."
------------------------------
Date: Fri, 5 Jun 2015 14:36:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Consumers Dislike Data-Mining but Feel Helpless to Stop It
Many Americans do not think the trade-off of their data for personalized
services, giveaways or discounts is a fair deal, a University of
Pennsylvania study found.
http://www.nytimes.com/2015/06/05/technology/consumers-conflicted-over-data-mining-policies-report-finds.html
------------------------------
Date: Sun, 7 Jun 2015 23:28:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605
------------------------------
Date: Thu, 4 Jun 2015 14:18:52 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Lauren's Blog: "Governments of the World Agree: Encryption Must Die!"
Governments of the World Agree: Encryption Must Die!
http://lauren.vortex.com/archive/001104.html
Finally! There's something that apparently virtually all governments around
the world can actually agree upon. Unfortunately, it's on par conceptually
with handing out hydrogen bombs as lottery prizes.
If the drumbeat isn't actually coordinated, it might as well be. Around the
world, in testimony before national legislatures and in countless interviews
with media, government officials and their surrogates are proclaiming the
immediate need to "do something" about encryption that law enforcement and
other government agencies can't read on demand.
Here in the U.S., it's a nearly constant harangue over on FOX News
(nightmarishly, where most Americans apparently get their "news" these
days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN
must share space with primetime reruns of a globetrotting celebrity chef and
crime "reality" shows).
It's much the same if you survey media around the world. The names and
officials vary, but the message is the same -- it's not just terrorism
that's the enemy, it's encryption itself.
That argument is a direct corollary to governments' decidedly mixed feelings
about social media on the Internet. On one hand, they're ecstatic over the
ability to monitor the public postings of criminal organizations like ISIL
(or ISIS, or Islamic State, or Daesh -- just different labels for the same
fanatical lunatics) that sprung forth from the disastrously misguided
policies of Bush 1 and Bush 2 era right-wing neocons -- who not only set the
stage for the resurrection of long-suppressed religious rivalries, but
ultimately provided them with billions of dollars worth of U.S. weaponry as
well. Great job there, guys.
Since it's also the typical role of governments to conflate and confuse
issues whenever possible for political advantage, when we dig deeper into
their views on social media and encryption we really go down the rabbit
hole.
While governments love their theoretical ability to track pretty much every
looney who posts publicly on Twitter or Facebook or Google+, governments
simultaneously bemoan the fact that it's possible for uncontrolled
communications -- especially international communications -- to take place
at all in these contexts.
In particular, it's the ability of radical nutcases overseas to recruit
ignorant (especially so-called "lone wolf") nutcases in other countries that
is said to be of especial concern, notably when these communications
suddenly "go dark" off the public threads and into private, securely
encrypted channels.
"Go dark" -- by the way -- is now the government code phrase for crypto they
can't read on demand. Dark threads, dark sites, dark links. You get the
idea.
One would be remiss to not admit that these radical recruiting efforts are
of significant concern.
But where governments' analysis breaks down massively is with the direction
of their proposed solutions, which aren't aimed at addressing the root
causes of fanatical religious terrorism, but rather appear almost entirely
based on preventing secure communications -- for anybody! -- in the first
place.
Naturally they don't phrase this goal in quite those words. Rather, they
continue to push (to blankly nodding politicians, journalists, and cable
anchors) the tired and utterly discredited concept of "key escrow"
cryptography, where governments would have "backdoor" keys to unlock
encrypted communications, supposedly only when absolutely necessary and with
due legal process.
Rewind 20 years or so and it's like "Groundhog Day" all over again, back in
the early to mid 90s when NSA was pushing their "Clipper Chip" hardware
concept for key escrowed encryption, an idea that was mercilessly buried in
relatively short order.
But like a vampire entombed without appropriate rituals, the old key escrow
concepts have returned to the land of the living, all the uglier and more
dangerous after their decades festering in the backrooms of governments.
The hardware Clipper concept dates to a time well before the founding of
Twitter or Facebook, and a few years before Google's arrival. Apple existed
back then, but centralized social media as we know it today wasn't yet even
really a glimmer in anyone's eye.
While governments generally seem to realize that stopping all crypto that
they can't access on demand is not practical, they also realize that the big
social media platforms (of which I've named only a few) -- where most users
do most of their social communicating -- are the obvious targets for
legislative, political, and other pressures.
And this is why we see governments subtly (and often, not so subtly)
demonizing these firms as being uncooperative or somehow uncaring about
fighting evil, about fighting crime, about fighting terrorism. How dare
they -- authorities repeat as a mantra -- implement encryption systems that
governments cannot access at the click of a mouse, or sometimes access at
all under any conditions.
Well, welcome to the 21st century, because the encryption genie isn't going
back into his bottle, no matter how hard you push.
Strong crypto is critical to our communications, to our infrastructures, to
our economies, and increasingly to many other aspects of our lives.
Strong crypto is simply not possible -- let's say that once more with
feeling -- not possible, given key escrow or other government backdoors
designed into these systems. There is no practical or even theoretically
accepted means for including such mechanisms without fatally weakening the
entire associated encryption ecosystem, and opening it up to all manner of
unauthorized access via hacking and various subversions of the key escrow
process.
But governments just don't seem willing to accept the science and reality of
this, and keep pushing the key escrow meme. It's like the old joke about the
would-be astronaut who wanted to travel to the sun, and when reminded that
he'd burn up, replied that it wasn't a problem, because he'd go at
night. Right.
Notably, just as we had governments who ignored realistic advice and
unleashed the monsters of religious fanatical terrorism, we now have many of
the same governments on the cusp of trying to hobble, undermine, and
decimate the strong encryption systems that are so very vital.
There's every reason to believe that we'd experience a similarly disastrous
outcome in the encryption context as well, especially if social media firms
were required to deploy only weak crypto -- putting the vast populations of
innocent users at risk -- while driving the bad guys even further
underground and out of view.
If we don't vigorously fight back against government efforts to weaken
encryption, we're all going to be badly burned.
------------------------------
Date: Fri, 05 Jun 2015 13:29:31 +0900
From: chiaki ishikawa <ishi...@yk.rim.or.jp>
Subject: Japanese pension organization phished, 1.25M people's data leaked
Reading the discussion about "Re: Only 3% of people aced Intel's phishing
quiz", I have to wonder how much we should educate the general public AND
the SYSTEM INTEGRATORS who hire new graduates without much experience in
security matters.
The recent news brought home this issue:
Japanese Pension Service (run by the government) was attacked by phishing,
and as a result, data for 1.25 million people got leaked according to
news articles in the past few days.
What irked me most, as someone who is in ICT industry and has interest in
security matters, is the comment uttered by a senior official according to
some news articles in different publications. (So I assume it was on a live
interview or something and *is* FOR REAL, to my utter dismay.):
My translation:
"The organization will take more security measures including that the PCs
that handle individual's data cannot access outside Internet, ..."
A PC/terminal that handles the privacy information at Pension Service can
talk to directly to the outside WAN?
I WAS INCREDULOUS INITIALLY.
And this seems to be the case, indeed, and that is how a large amount (maybe
not total) of the leak seems to have occurred. Sigh.
In the aftermath of the revealed incidence, some high government officials
blamed the pension fund for its handling of private data and that a clerk
should not open an attachment to e-mail from outside sources.
But to err is human.
I think such an organization ought to
1. - Use a customized mail client so that the clerk on a PC that handles the
sensitive data can never open an attachment at all: Yes, what I mean is even
if a clerk can click on an attachment or an URL within the main text by
mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's
mailer is open source, and there are other source mail clients. Customizing
to disable certain operations won't be difficult. (If a clueless
correspondent sends an attachment, it can be opened in a very very carefully
quarantined a computer running a virtual PC environment, after forwarding to
it)
AND OF COURSE
2. - such PC with sensitive data should not be capable of talking to the
outside Internet directly.
Regarding the second point, the sophistication of the worms means that they
may be able to install a communication proxy on an Internet-capable intranet
PC that relays the communication from the Internet-blocked PC to the
outside world, but a proper filtering at the local PCs or switches ought to
prevent such issues: I looked at Norton Internet security on my PC and I
think it can restrict communication only to a selected few and it can
disable all the inbound communication. So it can thwart the use of proxy,
etc. (And actually, this has been a pain in the neck when I try to use a
Privoxy proxy running on a PC from a linux image running on a different PC).
So it is doable easily today. Of course, we need constant and independent
check of the firewall setting of such locally installed security tool.
Anyway, I really would like to know who DESIGNED the intranet at the Pension
Service so that
we can learn from the mistakes...
I found some English articles about this.
[1]
https://www.itgovernance.co.uk/blog/1-25-million-japanese-pension-records-leaked-following-phishing-attack/
[2]
http://www.tripwire.com/state-of-security/latest-security-news/hackers-steal-over-a-million-japanese-citizens-personal-data-in-targeted-attack/
But these leave some key issues missing and a little misinformed to the
degree of the serious nature of the attack.
Today's Asahi Shimbun newspaper article (online) [in Japanese.]
gives a very detailed good report of what has happened.
http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01
Usually details remain obscured for this type of incidents, but given the
sloppy work of system integrator(s) at key government services in the past,
I think someone high up in the command of government security matters must
have decided that the detailed explanation would be good to educate the ICT
community to rise up from this shoddy level of awareness.
At least the next time something like this happens, government can sue system
integrators for gross negligence by citing this incident and publicized
method of the attack.
NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make
sure proper security measures is in place.
I suspect this is the only stick that sinks in security lessons.
>From the above link of Asahi Shimbun, I have learned the following:
A certaian "Takemura" sent an e-mail using some jargons in the pension
business and explained that he sent some suggestions to the procedure at the
organization and this made the recipient to believe that the sender is well
versed in pension matters.
Now, according to the article, the clerk clicked on the URL at the end of
the e-mail (ok, so no attachment is involved this time around, but a mere
URL clicking.) [At least my suggestion above would block this operation.]
This caused a download of malware with 0-day attack ! It collected ID of
the user on the PC, etc. Also, this malware subsequently downloaded a bot
software.
There was a trace that this malware created clones so that even if one is
eradicated, the others would remain, and it seems that tried to connect to
other PCs on the LAN.
Within less than 5 hours of the contamination, the Pension Service was
notified of strange network activity of the PC by NISC (National Information
Security Center), and pulled the plug.
This was on May 8th.
10 days later, in two-minute intervals, about 100 phishing e-mails arrived
at addresses within the organization, including some which were never
publicized outside before, with virus attachment and now the "From:" address
shown was that of an INTERNAL address (!). But the originating IP address
was the same of the initial attack. [Obviously some clever attack is being
waged.] I have no idea whether the e-mail from the originating IP address
was blocked or not.
Anyway, on May 21, two PCs in the same office were found to be communicating
with external IP addresses. Surprise. One is the "replacement PC" of the
clerk whose PC was pulled off the network (!?) On May 23, 9 more PCs in a
different office (now in Tokyo) were found to be doing the same.
The rest is history.
At least the newspaper article stated the forensics has only determined how
the initial PC and the two PCs found on May 21 were attacked and hijacked.
It is not known how others got infected.
Current Japanese administration is trying to introduce a single numeric ID
for each citizen in Japan for efficient administrative process ala SS number
in USA.
In the face of this breach, it is hard to sell such a policy now. Too easy
target for ID theft, etc. unless proper security measures and the preventive
measures for limiting the damage of ID theft are in place.
At least, I hope that there will be more scrutiny on the security design of
the computer systems.
P.S. I suspect this phishing is a part of well orchestrated attacks by an
organized crime or something. News articles report the police seems to have
found a part of the leaked data on a data servers used by previous phishing
attacks (which I assume they have been monitoring for illegal activities).
------------------------------
Date: Wed, 10 Jun 2015 22:27:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Twitter Advertisers Can Now Target You Based on the Other Phone Apps
http://recode.net/2015/06/10/twitter-advertisers-can-now-target-you-based-on-the-other-apps-on-your-phone/
For the past six months, Twitter has been collecting data on which
smartphone apps its users download. Now, the company is using that data to
make some money. Twitter announced on Wednesday that its advertisers can
use that app information to target users with ads. Marketers will be able
to target you based on the different categories of apps you have
downloaded onto your phone as well as how recently you downloaded them.
I'm incredibly disappointed in the direction Twitter has been taking. I
understand why they've felt they need to go in this direction, but that's
not an excuse. They're spamming like mad, and now this. Unacceptable, and
why I hardly use Twitter any more.
------------------------------
Date: Wed, 10 Jun 2015 15:10:17 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: "NOBUS can shoot ourselves in the foot like this" (RISKS-28.67)
As it happens, there's a review in this weekend's newspaper of a book 'The
New Spymasters' by Stephen Grey (Viking) which makes a similar point.
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
In summary it says:
Langley was far too reliant on technology (or SIGINT), preferring to amass
vast amounts of data on suspected terrorists with few credible human
sources to corroborate it. As Grey observes: ``All this scientific
espionage was bewitching. Cool gadgets and smart techniques inspired awe
and a confidence that was comparable to religious zeal.'' ... What was
missing from the American approach, in the author's view, was good,
old-fashioned HUMINT. ``Human spies can be terribly frail and unreliable,
but without any element of understanding and verification through human
intelligence, and without basic common sense, terrible errors are bound to
follow.''
There's some debate here in the UK right now (following the recent election)
on what surveillance powers the authorities should have; as usual, there's a
hard sell for the idea that if they can't "collect it all" then we'll all be
blown up by terrorists, but personally I'm more afraid of the country
becoming like 1970s East Germany.
Charles Cumming, What's the point of spies?
A new book about spying argues that modern digital surveillance is no
substitute for old-fashioned espionage
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
[Long item truncated for RISKS. PGN]
------------------------------
Date: Fri, 05 Jun 2015
From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
Subject: Re: Volvo has an accident, but not the one you thought (Reisert)
Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone
experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the
real context in Risks 28.67.
I searched for articles on the incident. There are a few, but many are
derivative. I summarised what I found in
http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and
commented.
There has to be some lesson in someone trying out a protective function, on
live people, with which the car was not equipped. There has to be some
lesson in trying out any protective function on live people. There has to be
some lesson in conducting the trial in such a way that the protective
function would have been suppressed. And there has to be some lesson in
conducting this trial without informing oneself about the capabilities of
the vehicle or taking elementary safety precautions in case things go wrong.
This last, BTW, is also a problem for professionals. There are incidents of
professional pilots conducting return-to-service tests on commercial
aircraft ... and of auguring in because they were assuming the tests would
succeed and they didn't! The main lesson is to remember that functional
tests can always have at least two outcomes: pass and fail.
Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com
------------------------------
Date: Fri, 05 Jun 2015 13:01:02 +0200
From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
Subject: Re: EU wants to kill open Wi-Fi (Weinstein, Risks 28.67)
Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in
RISKS-28.67.
He says "...the Court of Justice of the European Union ..... is asked
whether an enforcement practice requiring open wireless networks to be
locked is an acceptable one. Germany's Federal Supreme Court in 2010 held
that the private operator of a wireless network is obliged to use password
protection in order to prevent abuse by third parties....."
Let me set the record straight.
There is no such requirement and no such obligation in Germany (or anywhere
else I know).
The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether
operators of unsecured Wi-Fi networks can be held liable for copyright
infringement conducted using their networks.
http://www.out-law.com/en/articles/2014/november/cjeu-asked-to-rule-on-copyright-liability-of-operators-of-free-and-open-wi-fi-networks-/
Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com
------------------------------
Date: Thu, 04 Jun 2015 21:39:43 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Re: You Can Be Prosecuted for Clearing Your Browser History (R-28.67)
FYI -- Hmmm... Not a single Wall Street banker has faced jail time due to
their part in almost bankrupting the country (and the world), yet we're
using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing
enacted by Congress in the wake of the Enron scandal, to prosecute
non-financial crimes?
Remind me again which Constitution is supposed to be in effect in the U.S. ?
------------------------------
Date: Fri, 05 Jun 2015 10:25:17 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Re: House of Discards: Wikipedia pre-election edits (Ladkin)
> It's only one sentence; he doesn't justify the connection he makes and I
> don't see one.
Two words: "Dennis Hastert".
Dennis Hastert was 3rd in line to be President, and presided over a lot of
legislation regarding sexual harassment (and worse).
Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now
be electing their own Dennis Hasterts.
Those who are ready to forget the past shouldn't be surprised when the past
repeats itself.
Once again, "right-to-be-forgotten" is incompatible with democratic
representative government. Yes, remembering past mistakes is painful, but
the alternative (totalitarian govt) is far, far worse.
------------------------------
Date: Wed, 10 Jun 2015 09:06:33 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: REVIEW - "The Florentine Deception", Carey Nachenberg
BKFLODEC.RVW 20150609
"The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9,
U$13.49/C$18.91
%A Carey Nachenberg http://florentinedeception.com
%C 345 Hudson Street, New York, NY 10014
%D 2015
%G 978-1-5040-0924-9 150400924X
%I Open Road Distribution
%O U$13.49/C$18.91 www.openroadmedia.com
%O http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20
%O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 321 p.
%T "The Florentine Deception"
It gets depressing, after a while. When you review a bunch of books on the
basis of the quality of the technical information, books of fiction are
disappointing. No author seems interested in making sure that the
technology is in any way realistic. For every John Camp, who pays attention
to the facts, there are a dozen Dan Browns who just make it up as they go
along. For every Toni Dwiggins, who knows what she is talking about, there
are a hundred who don't.
So, when someone like Carey Nachenberg, who actually works in malware
research, decides to write a story using malicious software as a major plot
device, you have to be interested. (And besides, both Mikko Hypponen and
Eugene Spafford, who know what they are talking about, say it is technically
accurate.)
I will definitely grant that the overall "attack" is technically sound. The
forensics and anti-forensics makes sense. I can even see young geeks with
more dollars than sense continuing to play "Nancy Drew" in the face of
mounting odds and attackers. That a vulnerability can continue to go
undetected for more than a decade would ordinarily raise a red flag, but
Nachenberg's premise is realistic (especially since I know of a
vulnerability at that very company that went unfixed for seven years after
they had been warned about it). That a geek goes rock-climbing with a
supermodel we can put down to poetic license (although it may increase the
license rates). I can't find any flaws in the denouement.
But. I *cannot* believe that, in this day and age, *anyone* with a
background in malware research would knowingly stick a thumb/jump/flash/USB
drive labeled "Florentine Controller" into his, her, or its computer. (This
really isn't an objection: it would only take a couple of pages to have
someone run up a test to make sure the thing was safe, but ...)
Other than that, it's a joy to read. It's a decent thriller, with some
breaks to make it relaxing rather than exhausting (too much "one damn thing
after another" gets tiring), good dialog, and sympathetic characters. The
fact that you can trust the technology aids in the "willing suspension of
disbelief."
While it doesn't make any difference to the quality of the book, I should
mention that Carey is donating all author profits from sales of the book to
charity: http://florentinedeception.weebly.com/charities.html
copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609
rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.68
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.68.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
All U.S. United Flights Grounded Over Mysterious Problem (PGN)
Airbus transport crash caused by "wipe" of critical engine control data
(Ars Technica)
Man dies in Corvette after battery cable becomes loose (Khou via
Mark Thorson)
Traffic Hacking: Caution Light Is On (Nicole Perlroth)
OpenSesame: 10-sec universal garage door opener (Dennis Fisher)
Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
(NYTimes)
After Silences and Setbacks, the LightSail Spacecraft Is Revived (NYT)
Evidence of Healthcare Breaches Lurks On Infected Medical Devices
(Werner U)
New exploit leaves most Macs vulnerable to permanent backdooring
(Dan Goodin)
Breach in a Federal Computer System Exposes Personnel Data (NYTimes)
Chinese Hackers Behind Breach at Insurers Are Also Responsible for
Government Attack (NYTimes)
Single Test for All Virus Exposure Opens Doors for Researchers (NYT)
Kaspersky Lab cybersecurity firm is hacked (BBC)
Consumers Dislike Data-Mining but Feel Helpless to Stop It (NYT)
Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
(Reuters)
"Governments of the World Agree: Encryption Must Die!" (Lauren Weinstein)
Japanese pension organization phished, 1.25M people's data leaked
(chiaki ishikawa)
Twitter Advertisers Can Now Target You Based on the Other Phone Apps
(recode)
Re: "NOBUS can shoot ourselves in the foot like this" (Chris Drewe)
Re: Volvo has an accident, but not the one you thought (Peter Ladkin)
Re: EU wants to kill open Wi-Fi (Peter Ladkin)
Re: You Can Be Prosecuted for Clearing Your Browser History
(Henry Baker)
Re: House of Discards: Wikipedia pre-election edits (Henry Baker)
REVIEW - "The Florentine Deception", Carey Nachenberg (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 11 Jun 2015 11:03:52 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: All U.S. United Flights Grounded Over Mysterious Problem
All United Airlines flights in the US were grounded this morning for nearly
an hour, over `dispatching information'. Various tweets from passengers
suggest different possible explanations: hacked network? fake flight plans?
disgorging random plans? dropped flight plans? Considerable confusion?
The problem was then resolved.
http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/
------------------------------
Date: Wed, 10 Jun 2015 08:44:33 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Report: Airbus transport crash caused by "wipe" of critical engine
control data
http://arstechnica.com/information-technology/2015/06/report-airbus-transport-crash-caused-by-wipe-of-critical-engine-control-data/
------------------------------
Date: Wed, 10 Jun 2015 13:18:17 -0700
From: Mark Thorson <e...@sonic.net>
Subject: Man dies in Corvette after battery cable becomes loose
The doors don't open without battery power. There is a mechanical release,
but it's hidden and many Corvette owners don't know about it. This man may
have died while reading his owner's manual, which adds a new dimension to
the term RTFM.
http://www.khou.com/story/news/local/texas/2015/06/10/texas-man-dog-die-after-being-trapped-in-corvette/70999112/
------------------------------
Date: 11 Jun 2015 09:49:32 -0400
From: "Bob Frankston" <bob19...@bobf.frankston.com>
Subject: Traffic Hacking: Caution Light Is On (Nicole Perlroth)
Today's NYTimes.com
http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0
[The article might be interpreted as implying that so-called `smart'
anythings could all be vulnerable. No surprise to RISKS readers. PGN]
------------------------------
Date: Fri, 05 Jun 2015 14:24:25 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: OpenSesame: 10-sec universal garage door opener
FYI -- It usually takes me longer than 10 seconds to find the right button
to push...
Dennis Fisher, 4 Jun 2015
Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds
https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146
------------------------------
Date: Wed, 10 Jun 2015 09:46:51 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
http://www.nytimes.com/2015/06/11/us/amtrak-crash-engineer-brandon-bostian-not-on-cellphone-ntsb-says.html
------------------------------
Date: Tue, 9 Jun 2015 03:10:31 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: After Silences and Setbacks, the LightSail Spacecraft Is Revived
http://www.nytimes.com/2015/06/08/science/space/lightsail-setbacks-spacecraft-prepares-unfurl-sail.html
LightSail was successfully deployed and worked for two days before its
computer crashed because of a software flaw.
Eight days of silence followed until, as engineers expected, a high-speed
charged particle zipping through space fortuitously scrambled part of the
computer's memory and caused the computer to restart ... and deploy its
solar sail.
------------------------------
Date: Tue, 9 Jun 2015 05:15:48 +0200
From: Werner U <wer...@gmail.com>
Subject: Evidence of Healthcare Breaches Lurks On Infected Medical Devices
[ regarding 8 June 2015 article on The Security Ledger website ]
chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT
http://it.slashdot.org/story/15/06/08/166207/report-evidence-of-healthcare-breaches-lurks-on-infected-medical-devices
*Evidence that serious and widespread breaches of hospital- and healthcare
networks is likely to be hiding on compromised and infect medical devices in
clinical settings
<https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/>,
including medical imaging machines, blood gas analyzers and more, according
to a report by the firm TrapX. In the report, which will be released this
week, the company details incidents of medical devices and management
stations infected with malicious software at three, separate customer
engagements. According to the report, medical devices -- in particular
so-called picture archive and communications systems (PACS) radiologic
imaging systems -- are all but invisible to security monitoring systems
and provide a ready platform for malware infections to lurk on hospital
networks, and for malicious actors to launch attacks on other, high value IT
assets. Malware at a TrapX customer site spread from a unmonitored PACS
system to a key nurse's workstation. The result: confidential hospital data
was secreted off the network to a server hosted in Guiyang, China.
Communications went out encrypted using port 443 (SSL), resulting in the
leak of an unknown number of patient records. "The medical devices
themselves create far broader exposure to the healthcare institutions than
standard information technology assets," the report concludes. One
contributing factor to the breaches: Windows 2000 is the OS of choice for
"many medical devices." The version that TrapX obtained "did not seem to
have been updated or patched in a long time," the company writes.*
------------------------------
Date: Sun, 7 Jun 2015 23:33:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: New exploit leaves most Macs vulnerable to permanent backdooring
(Dan Goodin)
Hack allows firmware to be rewritten right after older Macs awake from sleep.
Dan Goodin, *Ars Technica*. 1 Jun 2015
Macs older than a year are vulnerable to exploits that remotely overwrite
the firmware that boots up the machine, a feat that allows attackers to
control vulnerable devices from the very first instruction.
http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/
------------------------------
Date: Fri, 5 Jun 2015 01:50:53 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Breach in a Federal Computer System Exposes Personnel Data
http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html
The intrusion, which appears to have involved information on about four
million current and former government workers, was the third such breach in
the last year.
------------------------------
Date: Fri, 5 Jun 2015 01:51:46 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Chinese Hackers Behind Breach at Insurers Are Also Responsible for
Government Attack
Researchers say it suggests spies are no longer just stealing American
corporate and military trade secrets, but personal information for some
later purpose.
http://www.nytimes.com/2015/06/05/technology/chinese-hackers-behind-breach-at-insurers-are-also-responsible-for-government-attack-researchers-say.html
[See also
http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html
PGN]
------------------------------
Date: Thu, 4 Jun 2015 20:12:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Single Test for All Virus Exposure Opens Doors for Researchers
http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html
It's like one-stop shopping for scientists: a blood test can now show every
virus that has a crossed a person's path, lending insight into disease.
------------------------------
Date: Wed, 10 Jun 2015 18:46:49 +0000
From: PGN
Subject: Kaspersky Lab cybersecurity firm is hacked (BBC)
BBC, 10 Jun 2015
http://www.bbc.com/news/technology-33083050
"Kaspersky Lab said it believed the attack was designed to spy on its newest
technologies. It said the intrusion involved up to three previously unknown
techniques."
------------------------------
Date: Fri, 5 Jun 2015 14:36:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Consumers Dislike Data-Mining but Feel Helpless to Stop It
Many Americans do not think the trade-off of their data for personalized
services, giveaways or discounts is a fair deal, a University of
Pennsylvania study found.
http://www.nytimes.com/2015/06/05/technology/consumers-conflicted-over-data-mining-policies-report-finds.html
------------------------------
Date: Sun, 7 Jun 2015 23:28:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605
------------------------------
Date: Thu, 4 Jun 2015 14:18:52 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Lauren's Blog: "Governments of the World Agree: Encryption Must Die!"
Governments of the World Agree: Encryption Must Die!
http://lauren.vortex.com/archive/001104.html
Finally! There's something that apparently virtually all governments around
the world can actually agree upon. Unfortunately, it's on par conceptually
with handing out hydrogen bombs as lottery prizes.
If the drumbeat isn't actually coordinated, it might as well be. Around the
world, in testimony before national legislatures and in countless interviews
with media, government officials and their surrogates are proclaiming the
immediate need to "do something" about encryption that law enforcement and
other government agencies can't read on demand.
Here in the U.S., it's a nearly constant harangue over on FOX News
(nightmarishly, where most Americans apparently get their "news" these
days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN
must share space with primetime reruns of a globetrotting celebrity chef and
crime "reality" shows).
It's much the same if you survey media around the world. The names and
officials vary, but the message is the same -- it's not just terrorism
that's the enemy, it's encryption itself.
That argument is a direct corollary to governments' decidedly mixed feelings
about social media on the Internet. On one hand, they're ecstatic over the
ability to monitor the public postings of criminal organizations like ISIL
(or ISIS, or Islamic State, or Daesh -- just different labels for the same
fanatical lunatics) that sprung forth from the disastrously misguided
policies of Bush 1 and Bush 2 era right-wing neocons -- who not only set the
stage for the resurrection of long-suppressed religious rivalries, but
ultimately provided them with billions of dollars worth of U.S. weaponry as
well. Great job there, guys.
Since it's also the typical role of governments to conflate and confuse
issues whenever possible for political advantage, when we dig deeper into
their views on social media and encryption we really go down the rabbit
hole.
While governments love their theoretical ability to track pretty much every
looney who posts publicly on Twitter or Facebook or Google+, governments
simultaneously bemoan the fact that it's possible for uncontrolled
communications -- especially international communications -- to take place
at all in these contexts.
In particular, it's the ability of radical nutcases overseas to recruit
ignorant (especially so-called "lone wolf") nutcases in other countries that
is said to be of especial concern, notably when these communications
suddenly "go dark" off the public threads and into private, securely
encrypted channels.
"Go dark" -- by the way -- is now the government code phrase for crypto they
can't read on demand. Dark threads, dark sites, dark links. You get the
idea.
One would be remiss to not admit that these radical recruiting efforts are
of significant concern.
But where governments' analysis breaks down massively is with the direction
of their proposed solutions, which aren't aimed at addressing the root
causes of fanatical religious terrorism, but rather appear almost entirely
based on preventing secure communications -- for anybody! -- in the first
place.
Naturally they don't phrase this goal in quite those words. Rather, they
continue to push (to blankly nodding politicians, journalists, and cable
anchors) the tired and utterly discredited concept of "key escrow"
cryptography, where governments would have "backdoor" keys to unlock
encrypted communications, supposedly only when absolutely necessary and with
due legal process.
Rewind 20 years or so and it's like "Groundhog Day" all over again, back in
the early to mid 90s when NSA was pushing their "Clipper Chip" hardware
concept for key escrowed encryption, an idea that was mercilessly buried in
relatively short order.
But like a vampire entombed without appropriate rituals, the old key escrow
concepts have returned to the land of the living, all the uglier and more
dangerous after their decades festering in the backrooms of governments.
The hardware Clipper concept dates to a time well before the founding of
Twitter or Facebook, and a few years before Google's arrival. Apple existed
back then, but centralized social media as we know it today wasn't yet even
really a glimmer in anyone's eye.
While governments generally seem to realize that stopping all crypto that
they can't access on demand is not practical, they also realize that the big
social media platforms (of which I've named only a few) -- where most users
do most of their social communicating -- are the obvious targets for
legislative, political, and other pressures.
And this is why we see governments subtly (and often, not so subtly)
demonizing these firms as being uncooperative or somehow uncaring about
fighting evil, about fighting crime, about fighting terrorism. How dare
they -- authorities repeat as a mantra -- implement encryption systems that
governments cannot access at the click of a mouse, or sometimes access at
all under any conditions.
Well, welcome to the 21st century, because the encryption genie isn't going
back into his bottle, no matter how hard you push.
Strong crypto is critical to our communications, to our infrastructures, to
our economies, and increasingly to many other aspects of our lives.
Strong crypto is simply not possible -- let's say that once more with
feeling -- not possible, given key escrow or other government backdoors
designed into these systems. There is no practical or even theoretically
accepted means for including such mechanisms without fatally weakening the
entire associated encryption ecosystem, and opening it up to all manner of
unauthorized access via hacking and various subversions of the key escrow
process.
But governments just don't seem willing to accept the science and reality of
this, and keep pushing the key escrow meme. It's like the old joke about the
would-be astronaut who wanted to travel to the sun, and when reminded that
he'd burn up, replied that it wasn't a problem, because he'd go at
night. Right.
Notably, just as we had governments who ignored realistic advice and
unleashed the monsters of religious fanatical terrorism, we now have many of
the same governments on the cusp of trying to hobble, undermine, and
decimate the strong encryption systems that are so very vital.
There's every reason to believe that we'd experience a similarly disastrous
outcome in the encryption context as well, especially if social media firms
were required to deploy only weak crypto -- putting the vast populations of
innocent users at risk -- while driving the bad guys even further
underground and out of view.
If we don't vigorously fight back against government efforts to weaken
encryption, we're all going to be badly burned.
------------------------------
Date: Fri, 05 Jun 2015 13:29:31 +0900
From: chiaki ishikawa <ishi...@yk.rim.or.jp>
Subject: Japanese pension organization phished, 1.25M people's data leaked
Reading the discussion about "Re: Only 3% of people aced Intel's phishing
quiz", I have to wonder how much we should educate the general public AND
the SYSTEM INTEGRATORS who hire new graduates without much experience in
security matters.
The recent news brought home this issue:
Japanese Pension Service (run by the government) was attacked by phishing,
and as a result, data for 1.25 million people got leaked according to
news articles in the past few days.
What irked me most, as someone who is in ICT industry and has interest in
security matters, is the comment uttered by a senior official according to
some news articles in different publications. (So I assume it was on a live
interview or something and *is* FOR REAL, to my utter dismay.):
My translation:
"The organization will take more security measures including that the PCs
that handle individual's data cannot access outside Internet, ..."
A PC/terminal that handles the privacy information at Pension Service can
talk to directly to the outside WAN?
I WAS INCREDULOUS INITIALLY.
And this seems to be the case, indeed, and that is how a large amount (maybe
not total) of the leak seems to have occurred. Sigh.
In the aftermath of the revealed incidence, some high government officials
blamed the pension fund for its handling of private data and that a clerk
should not open an attachment to e-mail from outside sources.
But to err is human.
I think such an organization ought to
1. - Use a customized mail client so that the clerk on a PC that handles the
sensitive data can never open an attachment at all: Yes, what I mean is even
if a clerk can click on an attachment or an URL within the main text by
mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's
mailer is open source, and there are other source mail clients. Customizing
to disable certain operations won't be difficult. (If a clueless
correspondent sends an attachment, it can be opened in a very very carefully
quarantined a computer running a virtual PC environment, after forwarding to
it)
AND OF COURSE
2. - such PC with sensitive data should not be capable of talking to the
outside Internet directly.
Regarding the second point, the sophistication of the worms means that they
may be able to install a communication proxy on an Internet-capable intranet
PC that relays the communication from the Internet-blocked PC to the
outside world, but a proper filtering at the local PCs or switches ought to
prevent such issues: I looked at Norton Internet security on my PC and I
think it can restrict communication only to a selected few and it can
disable all the inbound communication. So it can thwart the use of proxy,
etc. (And actually, this has been a pain in the neck when I try to use a
Privoxy proxy running on a PC from a linux image running on a different PC).
So it is doable easily today. Of course, we need constant and independent
check of the firewall setting of such locally installed security tool.
Anyway, I really would like to know who DESIGNED the intranet at the Pension
Service so that
we can learn from the mistakes...
I found some English articles about this.
[1]
https://www.itgovernance.co.uk/blog/1-25-million-japanese-pension-records-leaked-following-phishing-attack/
[2]
http://www.tripwire.com/state-of-security/latest-security-news/hackers-steal-over-a-million-japanese-citizens-personal-data-in-targeted-attack/
But these leave some key issues missing and a little misinformed to the
degree of the serious nature of the attack.
Today's Asahi Shimbun newspaper article (online) [in Japanese.]
gives a very detailed good report of what has happened.
http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01
Usually details remain obscured for this type of incidents, but given the
sloppy work of system integrator(s) at key government services in the past,
I think someone high up in the command of government security matters must
have decided that the detailed explanation would be good to educate the ICT
community to rise up from this shoddy level of awareness.
At least the next time something like this happens, government can sue system
integrators for gross negligence by citing this incident and publicized
method of the attack.
NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make
sure proper security measures is in place.
I suspect this is the only stick that sinks in security lessons.
>From the above link of Asahi Shimbun, I have learned the following:
A certaian "Takemura" sent an e-mail using some jargons in the pension
business and explained that he sent some suggestions to the procedure at the
organization and this made the recipient to believe that the sender is well
versed in pension matters.
Now, according to the article, the clerk clicked on the URL at the end of
the e-mail (ok, so no attachment is involved this time around, but a mere
URL clicking.) [At least my suggestion above would block this operation.]
This caused a download of malware with 0-day attack ! It collected ID of
the user on the PC, etc. Also, this malware subsequently downloaded a bot
software.
There was a trace that this malware created clones so that even if one is
eradicated, the others would remain, and it seems that tried to connect to
other PCs on the LAN.
Within less than 5 hours of the contamination, the Pension Service was
notified of strange network activity of the PC by NISC (National Information
Security Center), and pulled the plug.
This was on May 8th.
10 days later, in two-minute intervals, about 100 phishing e-mails arrived
at addresses within the organization, including some which were never
publicized outside before, with virus attachment and now the "From:" address
shown was that of an INTERNAL address (!). But the originating IP address
was the same of the initial attack. [Obviously some clever attack is being
waged.] I have no idea whether the e-mail from the originating IP address
was blocked or not.
Anyway, on May 21, two PCs in the same office were found to be communicating
with external IP addresses. Surprise. One is the "replacement PC" of the
clerk whose PC was pulled off the network (!?) On May 23, 9 more PCs in a
different office (now in Tokyo) were found to be doing the same.
The rest is history.
At least the newspaper article stated the forensics has only determined how
the initial PC and the two PCs found on May 21 were attacked and hijacked.
It is not known how others got infected.
Current Japanese administration is trying to introduce a single numeric ID
for each citizen in Japan for efficient administrative process ala SS number
in USA.
In the face of this breach, it is hard to sell such a policy now. Too easy
target for ID theft, etc. unless proper security measures and the preventive
measures for limiting the damage of ID theft are in place.
At least, I hope that there will be more scrutiny on the security design of
the computer systems.
P.S. I suspect this phishing is a part of well orchestrated attacks by an
organized crime or something. News articles report the police seems to have
found a part of the leaked data on a data servers used by previous phishing
attacks (which I assume they have been monitoring for illegal activities).
------------------------------
Date: Wed, 10 Jun 2015 22:27:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Twitter Advertisers Can Now Target You Based on the Other Phone Apps
http://recode.net/2015/06/10/twitter-advertisers-can-now-target-you-based-on-the-other-apps-on-your-phone/
For the past six months, Twitter has been collecting data on which
smartphone apps its users download. Now, the company is using that data to
make some money. Twitter announced on Wednesday that its advertisers can
use that app information to target users with ads. Marketers will be able
to target you based on the different categories of apps you have
downloaded onto your phone as well as how recently you downloaded them.
I'm incredibly disappointed in the direction Twitter has been taking. I
understand why they've felt they need to go in this direction, but that's
not an excuse. They're spamming like mad, and now this. Unacceptable, and
why I hardly use Twitter any more.
------------------------------
Date: Wed, 10 Jun 2015 15:10:17 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: "NOBUS can shoot ourselves in the foot like this" (RISKS-28.67)
As it happens, there's a review in this weekend's newspaper of a book 'The
New Spymasters' by Stephen Grey (Viking) which makes a similar point.
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
In summary it says:
Langley was far too reliant on technology (or SIGINT), preferring to amass
vast amounts of data on suspected terrorists with few credible human
sources to corroborate it. As Grey observes: ``All this scientific
espionage was bewitching. Cool gadgets and smart techniques inspired awe
and a confidence that was comparable to religious zeal.'' ... What was
missing from the American approach, in the author's view, was good,
old-fashioned HUMINT. ``Human spies can be terribly frail and unreliable,
but without any element of understanding and verification through human
intelligence, and without basic common sense, terrible errors are bound to
follow.''
There's some debate here in the UK right now (following the recent election)
on what surveillance powers the authorities should have; as usual, there's a
hard sell for the idea that if they can't "collect it all" then we'll all be
blown up by terrorists, but personally I'm more afraid of the country
becoming like 1970s East Germany.
Charles Cumming, What's the point of spies?
A new book about spying argues that modern digital surveillance is no
substitute for old-fashioned espionage
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
[Long item truncated for RISKS. PGN]
------------------------------
Date: Fri, 05 Jun 2015
From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
Subject: Re: Volvo has an accident, but not the one you thought (Reisert)
Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone
experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the
real context in Risks 28.67.
I searched for articles on the incident. There are a few, but many are
derivative. I summarised what I found in
http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and
commented.
There has to be some lesson in someone trying out a protective function, on
live people, with which the car was not equipped. There has to be some
lesson in trying out any protective function on live people. There has to be
some lesson in conducting the trial in such a way that the protective
function would have been suppressed. And there has to be some lesson in
conducting this trial without informing oneself about the capabilities of
the vehicle or taking elementary safety precautions in case things go wrong.
This last, BTW, is also a problem for professionals. There are incidents of
professional pilots conducting return-to-service tests on commercial
aircraft ... and of auguring in because they were assuming the tests would
succeed and they didn't! The main lesson is to remember that functional
tests can always have at least two outcomes: pass and fail.
Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com
------------------------------
Date: Fri, 05 Jun 2015 13:01:02 +0200
From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
Subject: Re: EU wants to kill open Wi-Fi (Weinstein, Risks 28.67)
Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in
RISKS-28.67.
He says "...the Court of Justice of the European Union ..... is asked
whether an enforcement practice requiring open wireless networks to be
locked is an acceptable one. Germany's Federal Supreme Court in 2010 held
that the private operator of a wireless network is obliged to use password
protection in order to prevent abuse by third parties....."
Let me set the record straight.
There is no such requirement and no such obligation in Germany (or anywhere
else I know).
The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether
operators of unsecured Wi-Fi networks can be held liable for copyright
infringement conducted using their networks.
http://www.out-law.com/en/articles/2014/november/cjeu-asked-to-rule-on-copyright-liability-of-operators-of-free-and-open-wi-fi-networks-/
Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com
------------------------------
Date: Thu, 04 Jun 2015 21:39:43 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Re: You Can Be Prosecuted for Clearing Your Browser History (R-28.67)
FYI -- Hmmm... Not a single Wall Street banker has faced jail time due to
their part in almost bankrupting the country (and the world), yet we're
using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing
enacted by Congress in the wake of the Enron scandal, to prosecute
non-financial crimes?
Remind me again which Constitution is supposed to be in effect in the U.S. ?
------------------------------
Date: Fri, 05 Jun 2015 10:25:17 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Re: House of Discards: Wikipedia pre-election edits (Ladkin)
> It's only one sentence; he doesn't justify the connection he makes and I
> don't see one.
Two words: "Dennis Hastert".
Dennis Hastert was 3rd in line to be President, and presided over a lot of
legislation regarding sexual harassment (and worse).
Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now
be electing their own Dennis Hasterts.
Those who are ready to forget the past shouldn't be surprised when the past
repeats itself.
Once again, "right-to-be-forgotten" is incompatible with democratic
representative government. Yes, remembering past mistakes is painful, but
the alternative (totalitarian govt) is far, far worse.
------------------------------
Date: Wed, 10 Jun 2015 09:06:33 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: REVIEW - "The Florentine Deception", Carey Nachenberg
BKFLODEC.RVW 20150609
"The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9,
U$13.49/C$18.91
%A Carey Nachenberg http://florentinedeception.com
%C 345 Hudson Street, New York, NY 10014
%D 2015
%G 978-1-5040-0924-9 150400924X
%I Open Road Distribution
%O U$13.49/C$18.91 www.openroadmedia.com
%O http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20
%O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 321 p.
%T "The Florentine Deception"
It gets depressing, after a while. When you review a bunch of books on the
basis of the quality of the technical information, books of fiction are
disappointing. No author seems interested in making sure that the
technology is in any way realistic. For every John Camp, who pays attention
to the facts, there are a dozen Dan Browns who just make it up as they go
along. For every Toni Dwiggins, who knows what she is talking about, there
are a hundred who don't.
So, when someone like Carey Nachenberg, who actually works in malware
research, decides to write a story using malicious software as a major plot
device, you have to be interested. (And besides, both Mikko Hypponen and
Eugene Spafford, who know what they are talking about, say it is technically
accurate.)
I will definitely grant that the overall "attack" is technically sound. The
forensics and anti-forensics makes sense. I can even see young geeks with
more dollars than sense continuing to play "Nancy Drew" in the face of
mounting odds and attackers. That a vulnerability can continue to go
undetected for more than a decade would ordinarily raise a red flag, but
Nachenberg's premise is realistic (especially since I know of a
vulnerability at that very company that went unfixed for seven years after
they had been warned about it). That a geek goes rock-climbing with a
supermodel we can put down to poetic license (although it may increase the
license rates). I can't find any flaws in the denouement.
But. I *cannot* believe that, in this day and age, *anyone* with a
background in malware research would knowingly stick a thumb/jump/flash/USB
drive labeled "Florentine Controller" into his, her, or its computer. (This
really isn't an objection: it would only take a couple of pages to have
someone run up a test to make sure the thing was safe, but ...)
Other than that, it's a joy to read. It's a decent thriller, with some
breaks to make it relaxing rather than exhausting (too much "one damn thing
after another" gets tiring), good dialog, and sympathetic characters. The
fact that you can trust the technology aids in the "willing suspension of
disbelief."
While it doesn't make any difference to the quality of the book, I should
mention that Carey is donating all author profits from sales of the book to
charity: http://florentinedeception.weebly.com/charities.html
copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609
rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.68
************************
0 new messages