RISKS Forum mailing list archives
Risks Digest 27.72
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 27 Jan 2014 15:53:54 PST
RISKS-LIST: Risks-Forum Digest Monday 27 January 2014 Volume 27 : Issue 72 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.72.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Signal Failure at Grand Central (Peter Wild) NEWS FLASH: Alarms are distracting! Turing off alarms is a priority! (Richard Irvin Cook) Hackers Steal Law Enforcement Inquiry Documents from Microsoft (Lauren Weinstein) Gmail glitches down worldwide; Hotmail hitches (Etherington/Perez) Stolen Laptops (Laura Corriss) Converting Google Chrome into a Bugging Device by exploiting Speech Recognition feature - The Hacker News (David Farber) "Google dismisses eavesdropping threat in Chrome" (Keremy Kirk via Gene Wirchenko) How Google Calendar can tip off your boss that you want a raise (Dan Goodin via Monty Solomon) Proofpoint Uncovers Internet of Things Cyberattack (Jim Reisert) Apple.com does more to protect your password ... (Dan Goodin via Monty Solomon) Snapchat's new "security" feature holds up about as long as a double cheeseburger (Lauren Weinstein) BYOD? Leaving a Job Can Mean Losing Pictures of Grandma (Lauren Weber Monty Solomon) You don't want your privacy: Disney and the meat space data race (John Foreman via Monty Solomon) Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden (David Lesher) Re: Software licensing as information leak (Dimitri Maziuk) Name-collision risks (Burt Kaliski) 2nd Neuro-Inspired Computational Elements Workshop (Murat Okandan) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 24 Jan 2014 14:30:27 -0500 From: "Peter.Wild () sbcglobal net" <peter.wild () sbcglobal net> Subject: Signal Failure at Grand Central causes 2-hour disruption; one power supply shut down for replacement; the other had a disconnected wire [As I say to a few close confidants that, as an auditor, I am grateful that my clients continue to make the same mistakes - because that is what keeps me relevant!!!] I thought that you might like to include the item below, the event happened at Grand Central station in New York City last night. What is does not talk about are the stampedes that happened when trains started running, it was almost dangerous. - - - - An Explanation & Apology for Last Evening's (Thursday, 23 Jan 2014) System-Wide Disruption of Service The two-hour disruption in service you experienced last evening traced to human error during an electrical repair project. The computers that run the railroad's signal system lost reliable power at 7:45 PM when one of two main power supply units was taken out of service for replacement. Technicians performing the work did not realize that a wire was disconnected on the other main power supply unit. This destabilized the power supply system for more than an hour until a backup supply could be connected. At the time this incident occurred, there were more than 50 trains at various locations on all three lines. While the cause of this power problem was being identified and repairs were being made, Rail Traffic Controllers immediately took the safest course of action. They instructed all train engineers, via radio, to bring their trains to the nearest station. This had to be done slowly, train-by-train, to ensure everyone's safety. Trains were not allowed to proceed through switches until signal maintainers could respond and manually ensure the switches were lined up correctly. All trains had light, heat and power during the disruption, and no customers were ever in danger. Customers were able to get off trains when they reached a station. Repairs were made by 9 PM. Once repairs were made, the computers needed to reboot before we could begin running trains again. Trains began moving again by 9:30 PM. Full control over the signal system was re-established by 10:30 PM. Significant delays continued throughout the evening hours. This project should have been analyzed for risks and redundancy before it began, and it should have been performed in the middle of the night over a weekend, not when thousands of customers were trying to get home in cold weather. While this specific incident has been addressed and an internal review is underway, we are also bringing in an independent consultant to examine how and why these mistakes were made, and to recommend any necessary changes to operating procedures and practices. Metro-North customers deserve better. We sincerely regret this incident and apologize for the inconvenience our customers experienced. Peter Wild, Mobile (203) 722 9453 ------------------------------ Date: Mon, 27 Jan 2014 12:45:34 +0000 From: Richard Irvin Cook <rcook () kth se> Subject: NEWS FLASH: Alarms are distracting! Turing off alarms is a priority! Silencing Many Hospital Alarms Leads To Better Health Care <http://www.npr.org/blogs/health/2014/01/24/265702152/silencing-many-hospital-alarms-leads-to-better-health-care> Richard I Cook, MD, Professor of Healthcare System Safety, STH, KTH, Huddinge, SWEDEN +46 70 190 42 16 www.ctlab.org<http://www.ctlab.org> [The Foresight Saga once again: An ounce of prevention is worth nothing at all, because it would pound healthcare into oblivion? PGN] ------------------------------ Date: Sat, 25 Jan 2014 08:44:58 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Hackers Steal Law Enforcement Inquiry Documents from Microsoft Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What's interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers -- which may be the case if this was a `hacktivist' attack. ``In terms of the cyberattack, we continue to further strengthen our security. This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation." (Adrienne Hall, General Manager of Microsoft's Trustworthy Computing Group) http://j.mp/1gcN2tK [Source: Mike Lennon, Security Week, 24 Jan 2014; via NNSquad, PGN-ed] ------------------------------ Date: Fri, 24 Jan 2014 15:18:40 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Gmail glitches, Hotmail hitches Darrell Etherington, Gmail and Google+ go down across the world, service returns after roughly 50 minutes, TechCrunch http://techcrunch.com/2014/01/24/gmail-goes-down-across-the-world Sarah Perez, Glitch is causing thousands of e-mails to be sent to one man's Hotmail account, TechCrunch http://techcrunch.com/2014/01/24/gmail-glitch-is-causing-thousands-of-emails-to-be-sent-to-one-mans-hotmail-account/ ------------------------------ Date: Sat, 25 Jan 2014 13:51:34 -0500 From: Laura Corriss <lcorriss () earthlink net> Subject: Stolen Laptops [From Steve Greenwald's Greenwald-INFOSEC] Okay, here we go again. Gee, Coke just announced that "employee data was exposed". How? Stolen laptops. Wow! Who would have guessed it? How is this still happening? Actually, I know. Last May the laptop belonging to the head of Human Resources at my place of employment was stolen (but not reported to us peons (otherwise know as the organization's employees) until late December). A couple of weeks ago the university's executive committee announced that that same HR department head was promoted to Vice President, making HR a separate division. And nothing else has been said about the matter. There has been no response to the numerous e-mails and complaints that have been made (many by me, and I haven't given up). Apparently, the people running the university see that this problem is prevent (after all, it's happening to large financial institutions, fortune 500 companies, even the government) so evidently there is nothing they can do about it. Maybe the focus of all the security experts on this list (and everywhere else) should be to start an information campaign to tell them that, yes, there are things that can be done and here's a list of what to do. Research is important. Figuring out how to stay ahead (or even get close to) of the hackers, thieves, insiders (i.e. the "bad guys") is important. Discussing what is and isn't working is important. But, what is even more important is getting the information out there, beyond just the IT department (assuming that they have a clue). We might not be able to prevent stolen laptops, but we certainly can make sure that the resulting problems are mitigated. My approach is to get the attention of the HR department head and the CIO and outline for them exactly what can be done to protect this from happening again (and to protect the reputation of the university). I will bring in anyone and everyone who can and is willing to help me. I think this list should start publishing a public blog addressing these issues. All of you have connections and all of you have credentials that should make people, including executives, listen and pay attention. Protecting data on stolen laptops might be a good place to start. Anyone agree? Anyone interested? Does anyone have a better suggestion? Because every time something like this happens, it makes the security community look inconsequential and incompetent. ------------------------------ Date: Thu, 23 Jan 2014 18:00:40 -0500 From: David Farber <dfarber () me com> Subject: Converting Google Chrome into a Bugging Device by exploiting Speech Recognition feature - The Hacker News http://thehackernews.com/2014/01/converting-google-chrome-into-bugging.html ------------------------------ Date: Fri, 24 Jan 2014 14:39:40 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Google dismisses eavesdropping threat in Chrome" Keremy Kirk) Jeremy Kirk, InfoWorld, 23 Jan 2014 Chrome can access a computer's microphone after a person thinks a speech recognition feature is off, says Web developer http://www.infoworld.com/d/security/google-dismisses-eavesdropping-threat-in-chrome-234824 selected text: Google said there's no threat from a speech recognition feature in its Chrome browser that a developer said could be used to listen in on users. But Ater found that Chrome remembers if a person granted permission to a site that uses HTTPS, a security feature that encrypts communication between a client and a server. It will allow sites using HTTPS to start listening in the future without asking for permission again. The attack doesn't work if permission isn't granted to enable speech recognition. ------------------------------ Date: Mon, 27 Jan 2014 02:55:57 -0500 From: Monty Solomon <monty () roscom com> Subject: How Google Calendar can tip off your boss that you want a raise (Dan Goodin) Dan Goodin, Ars Technica, 23 Jan 2014 Potential privacy leak "feature" continues to take some users by surprise. It's a feature that has bitten Google Calendar users in the past, but it's worth a reminder: in some cases, the widely used service may unexpectedly leak sensitive information to bosses, spouses, or just about anyone else. The inadvertent leakage stems from Google Calendar's quick add feature, which is designed to automatically add the who, what, and where to events without requiring a user to manually enter those details. Typing "Brunch with Mom at Java 11am Sunday" is intended to schedule the event for the following Sunday morning at 11 and list the place as "Java." Participants can be added by listing their e-mail addresses, and in many cases, Google will respond by automatically adding an entry to the participants' calendar as well. Google heavily promoted this time-saving feature during the rollout of its mail and calendar services. But as documented as early as 2010, the behavior can also result in the leakage of private information for people who are unaware of it. Alas, almost four years later, it's still catching some people by surprise. Blogger Terence Eden explained how an entry his wife put in her personal Google Calendar made its way to her boss. It read: "e-mail [boss's address] to discuss pay rise" and included a date a few months in the future. The boss quickly received the reminder as an entry in her own Google Calendar. [...] http://arstechnica.com/security/2014/01/how-google-calendar-can-tip-off-your-boss-you-want-a-raise/ ------------------------------ Date: Thu, 23 Jan 2014 19:14:38 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Proofpoint Uncovers Internet of Things Cyberattack (Re: R 27 71) More than 750,000 Phishing and SPAM e-mails Launched from "Thingbots" Including Televisions, Fridge [PGN-ed] SUNNYVALE, Calif. January 16, 2014. Proofpoint, Inc., a leading security-as-a-service provider, has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious e=mail communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks. As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets. [...] "Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse" said David Knight, General Manager of Proofpoint's Information Security division. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them." http://www.proofpoint.com/about-us/press-releases/01162014.php ------------------------------ Date: Mon, 27 Jan 2014 02:51:51 -0500 From: Monty Solomon <monty () roscom com> Subject: Apple.com does more to protect your password ... (Dan Goodin) Dan Goodin, Ars Technica, 24 Jan 2014 Apple.com does more to protect your password, study of top 100 sites finds Which sites allow "123456"? Study names/shames the best/worst password policies. Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst. Apple.com was the only site to receive a perfect score of 100, which was based on 24 criteria, such as whether the site accepts "123456" and other extremely weak passwords and whether it sends passwords in plaintext by e-mail. Microsoft and academic supplier Chegg tied for second place with 65, while Newegg and Target came in third with 60. By contrast, MLB received a score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale and Toys R US each got a -60. Each site was awarded or deducted points based on each criterion, leading to a possible score from -100 and 100. The study was conducted by researchers from password manager Dashlane based on the password policies in effect on the top 100 e-commerce sites from January 17 through January 22. [...] http://arstechnica.com/security/2014/01/apple-com-does-more-to-protect-your-password-study-of-top-100-sites-finds/ ------------------------------ Date: Thu, 23 Jan 2014 09:45:20 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Snapchat's new "security" feature holds up about as long as a double cheeseburger http://j.mp/1aME2Xu (Steve's Computer Vision Blog via NNSquad) "With very little effort, my code was able to "find the ghost" in the above example with 100% accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing." - - - The problem is that Snapchat is demonstrating that they don't really care about security at all. They're hardly even going through the motions. [See also 4.6 million Snapchat phone numbers and usernames leaked (RISKS-27.68) and other items in RISKS-27.69. PGN] ------------------------------ Date: Mon, 27 Jan 2014 01:23:00 -0500 From: Monty Solomon <monty () roscom com> Subject: BYOD? Leaving a Job Can Mean Losing Pictures of Grandma (Lauren Weber) Lauren Weber, *Wall Street Journal*, 21 Jan 2014 Some Companies Wipe Workers' Personal Cellphones Clean After They Leave In early October, Michael Irvin stood up to leave a New York City restaurant when he glanced at his iPhone and noticed it was powering off. When he turned it back on again, all of his information-email programs, contacts, family photos, apps and music he had downloaded-had vanished. The phone looked "like it came straight from the factory," said Mr. Irvin, an independent health-care consultant. It wasn't a malfunction. The device had been wiped clean by AlphaCare of New York, the client he had been working for full-time since April. Mr. Irvin received an email from his AlphaCare address that day confirming the phone had been remotely erased. [...] http://online.wsj.com/news/articles/SB10001424052702304027204579335033824665964 ------------------------------ Date: Mon, 27 Jan 2014 00:42:00 -0500 From: Monty Solomon <monty () roscom com> Subject: You don't want your privacy: Disney and the meat space data race (John Foreman) John Foreman, MailChimp, 18 Jan 2014 SUMMARY: MailChimp Chief Data Scientist is at Disney World this weekend wearing his RFID-equipped MagicBand. Here's how he thinks the practice of digitally tracking consumers in the physical world will reach everywhere from theme parks to our homes. http://gigaom.com/2014/01/18/you-dont-want-your-privacy-disney-and-the-meat-space-data-race/ ------------------------------ Date: Fri, 24 Jan 2014 13:43:53 -0500 From: David Lesher <wb8foz () panix com> Subject: Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden
... Instead, electronic health records have become a disease in need of a cure, as physicians do their best to diagnose and treat patients while continuously feeding the data-hungry computer.
Was this not entirely predictable? The whole EMR charade was hyped as being the penultimate solution to everything wrong with healthcare in the United States. But what EMR use was really doing was taking the #1 critical resource choke point, the work time of the MD, and instead of optimizing it, demanding [s]he spend time on clerical work best done by someone less skilled, less trained, and far far less expensive per minute. [The MD time touches another medical issue, infection control. Yes, if they thoroughly scrubbed between each patient visit as they do rounds, it would reduce infection spread. But where will that scrub time come from; what else gets dropped?] To me, the whole EMR euphoria harks back to the promises re: how electronic voting machines were going to err solve all our election problems. The common thread: The Hill dumped lots of money onto a problem, without really looking at what the solution would be. It's rather like the Cardassian legal system: Sentence First, Verdict Later; but here it's "Money First, Thinking Later..." ------------------------------ Date: Fri, 24 Jan 2014 09:57:48 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Software licensing as information leak (Levy, RISKS-27.71) On Fri, 10 Jan 2014 Stuart Levy wrote:
... The design is for enterprise system administrators to be able to track *all* software installed on *any* monitored machine -- and select some subset of packages as "interesting". Interesting software can be usage-tracked, and optionally flagged as being under a variety of kinds of license control ... and monitored ...
The flip side: a scientist working on NMR spectra is using several (of many) software packages to combine multiple spectra, FFT them, identify regions of interest, clean up the noise, and so on and so forth. A lot of it is manual and is driven by the scientist's expertise. The end result is often the 3D structure of the studied molecule that yields insight into its biological function and leads to new drugs etc. The problem is reproducibility: in order to get from the original raw data to the same exact final result, potentially you need to not only use the same software but also the exact versions and retrace the exact sequence of steps. Or not -- but as long we can do that, we can't prove otherwise or run any software comparison studies. So yeah, we want to know not only what software you're using but also what you did with it in exact detail. Otherwise we can have one study claim that zinc kills common cold virus and another: that it kills small furry kittens, and no way to reproduce either result. (I expect NMR is not the only field where this exists, it's the one I'm familiar with.) ------------------------------ Date: Thu, 23 Jan 2014 15:05:46 +0000 From: "Kaliski, Burt" <bkaliski () verisign com> Subject: Name-collision risks As I've just noted on my Verisign blog today, we're organizing a workshop in March 2014 on the risks of "name collisions" in the Domain Name System - a major topic in the ICANN community of late: http://namecollisions.net/ http://blogs.verisigninc.com/blog/entry/collisions_ahead_look_both_ways I thought you might find this of interest in your ongoing effort to collect and analyze computer system risks. I've enjoyed following your commentary over the years, from my early days in cryptography and security. The risk is not well known outside the Domain Name System community, and we're looking for ways to get more of industry informed and engaged. The workshop is open to the public. Papers will be selected by the technical program committee. In addition, the top papers will receive awards of up to $50,000. Burt Kaliski Jr., Senior Vice President and CTO, bkaliski () Verisign com m: 571-528-2679 t: 703-948-4664 12061 Bluemont Way, Reston, VA 20190 ------------------------------ Date: Mon, 27 Jan 2014 10:07:59 -0800 From: Murat Okandan <mokanda () sandia gov> Subject: 2nd Neuro-Inspired Computational Elements Workshop Sandia National Laboratories and DARPA will be hosting the 2nd annual Neuro-Inspired Computational Elements Workshop (NICE 2014), 24-26 Feb 2014 Objective: The focus of this workshop is the creation of next generation of information processing/computation architectures beyond stored program architecture and Moore's Law limits. Goal: Bring together researchers from different scientific disciplines and applications areas that are converging towards a new computational / information processing approach, determine potential pathways, identify applications that would have immediate benefit, and pursue resources to accelerate activity in those areas. A list of confirmed speakers is available at the event web site. Registration: Cost for the workshop is $150. Event website: http://nice.sandia.gov_ Contact: Murat Okandan <mokanda () sandia gov>, Ph.D., Chair, 1-505-284-6624 Event Organization Linda Wood <llwood@sandia.gov1>, 1-505-284-8404 ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.72 ************************
Current thread:
- Risks Digest 27.72 RISKS List Owner (Jan 27)