[26554] in RISKS Forum
Risks Digest 28.31
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Oct 24 17:36:18 2014
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 24 Oct 2014 14:36:12 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 24 October 2014 Volume 28 : Issue 31
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.31.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Audi Recalls 850,000 Cars Over Airbag Software Flaw (NYT via Monty Solomon)
Feds examining medical devices for fatal cybersecurity flaws
(David Kravets via Monty Solomon)
NOAA is having major weather satellite data feed issues (danny burstein)
Belkin routers around the globe unable to connect to the Internet (Myce)
India probes identity card for monkey god Hanuman (BBC via
Prashanth Mundkur)
Machine Tasked with Getting Rid of Spam Could End Humanity (Elon Musk)
The Exascale Revolution (Tiffany Trader)
Dangers of an IT monoculture (Robert L Wears)
IoT as a Hazard: Smart Meters prove vulnerable (Bob Gezelter)
Hackers' Attack Cracked 10 Financial Firms in Major Assault (NYT)
Cyberattack on JPMorgan Raises Alarms at White House and on Wall Street
(NYT)
The Unpatchable Malware That Infects USBs Is Now on the Loose
(Andy Greenberg)
ComputerCOP: dubious "Internet Safety Software" given to US families (Ars)
iOS 8.1 plugs security hole that made it easy to install emulators
(Kyle Orland)
"Cisco, Oracle find dozens of their products affected by Shellshock"
(Lucian Constantin)
"Mayhem malware spreads through Linux servers via Shellshock exploits"
(Lucian Constantin)
Bug in Bash shell creates big security hole on anything with *nix in
it (Brett Mahar)
Samsung printer sniffers (David Lesher)
Twitter Sues U.S. Government Over Data Disclosure Rules (Monty Solomon)
Dozens of European ATMs rooted, allowing criminals to easily cash out
(Robert Lemos)
Using new Corvette's valet-recording tech could be a felony in some states
(Megan Geuss)
"The Dark Market for Personal Data" (Frank Pasquale)
"Patent trolls have one fewer legal loophole to hide behind"
(Simon Phipps via Gene Wirchenko)
The "he said, she said" of how the FBI found Silk Road's servers (Ars)
New York City orders Bluetooth beacons in pay phones to come down (Ars)
Seeing where the last taxi passenger went (Jeremy Epstein)
JPMorgan Discovers Further Cyber Security Issues (Monty Solomon)
7 million Dropbox username/password pairs apparently leaked (Ars)
Russia's Sandworm Hack Spying on Foreign Governments for Years (WiReD)
Google report on EU "right to be forgotten" requests (Lauren Weinstein)
This POODLE bites: exploiting the SSL 3.0 fallback (Google)
Re: Firedrive and Cloudflare (Jay Grizzard)
Re: Firedrive has gone down taking millions of files with it (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 24 Oct 2014 06:30:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Audi Recalls 850,000 Cars Over Airbag Software Flaw
The recall of the 2013-15 A4 model includes about 102,000 cars in the United
States, and the company said it had no reports of related accidents.
http://www.nytimes.com/2014/10/24/business/audi-recalls-850000-cars-over-airbag-software-flaw.html
------------------------------
Date: Fri, 24 Oct 2014 01:16:26 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Feds examining medical devices for fatal cybersecurity flaws
(David Kravets)
David Kravets, Ars Technica, 23 Oct 2014,
They could be controlled remotely, overdose patients, or thwart heart implants.
http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/
------------------------------
Date: Wed, 22 Oct 2014 22:41:42 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: NOAA is having major weather satellite data feed issues
(I can't find a copy of their actual news release, so using this press story)
"Since Tuesday night, NESDIS, NOAA's satellite and information service, has
been experiencing network issues, and has not received a full feed of
satellite data for input, a critical component for the numerical models used
to forecast the weather"
http://www.accuweather.com/en/weather-news/noaa-network-issue-may-impact/36161909
It took a *year* for them to fix the NOAA/AHR radio transmitter in NYC,
and that only happened after a WSJ article...
------------------------------
Date: Tue, 7 Oct 2014 13:40:29 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Belkin routers around the globe unable to connect to the Internet
(Myce)
Myce via NNSquad
http://www.myce.com/news/belkin-router-users-worldwide-unable-to-connect-to-the-internet-73019/
As a workaround, Belkin is suggesting that users change their routers' DNS
settings to use Google DNS on 8.8.8.8 and 8.8.4.4:
https://statuspage-production.s3.amazonaws.com/static/belkin.html
(interesting URL)
------------------------------
Date: Thu, 23 Oct 2014 01:26:19 -0700
From: Prashanth Mundkur <prashanth.mundkur@gmail.com>
Subject: India probes identity card for monkey god Hanuman (BBC)
BBC, 12 September 2014
http://www.bbc.com/news/world-asia-india-29175870
Authorities in India are investigating how Hanuman, the monkey god, has been
issued a biometric identity card. [...] It emerged when a postman
attempted to deliver the card, but could not find a Hanuman at the address.
------------------------------
Date: Fri, 10 Oct 2014 13:21:55 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: Machine Tasked with Getting Rid of Spam Could End Humanity
(Elon Musk)
http://www.vanityfair.com/online/daily/2014/10/elon-musk-artificial-intelligence-fear
------------------------------
Date: Fri, 24 Oct 2014 12:11:58 -0400 (EDT)
From: "ACM TechNews" <technews@hq.acm.org>
Subject: The Exascale Revolution (Tiffany Trader)
Tiffany Trader, The Exascale Revolution, HPC Wire, 23 Oct 2014
(via ACM TechNews, Friday, October 24, 2014)
Experts are coming to a consensus that the shift from the petascale to the
exascale supercomputing eras is going to be more challenging than many
previously anticipated. At the recent Argonne National Laboratory Training
Program in Extreme Scale Computing, Pete Beckman, director of Argonne's
Exascale Technology and Computing Institute, highlighted some of the
possible problems. One major concern is power and the costs associated with
it. Although supercomputers have been getting more energy-efficient,
Beckman uses the example of the most recent generations of IBM
supercomputers to demonstrate a 5x trajectory of energy efficiency gains
that would still have an exascale system requiring 64 megawatts of power,
which could cost tens of millions of dollars a year. These cost concerns
are prompting many countries to pursue exascale computing on an
international scale, forming multinational partnerships to share the massive
costs. The U.S. and Japan recently entered such an agreement, and Europe is
looking to join them. However, China is proceeding on its own, largely on
the strength of its own native technology. Beckman also addressed
challenges relating to memory and resilience and the need to update software
to be able to make use of exascale resources.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-cd87x2bdf9x068385&
------------------------------
Date: Fri, 24 Oct 2014 11:32:55 -0400
From: "Robert L Wears, MD, MS, PhD" <wears@ufl.edu>
Subject: Dangers of an IT monoculture
A recent paper in a medical journal raises ()concerns about the emergence of
an IH 'monoculture' in healthcare. But, the paper misses IMHO the most
significant risk of a monoculture -- that it increases the magnitude of the
inevitable failures. In agriculture and ecosystems, monocultures lead to
the more rapid spread of pests and diseases, and are more vulnerable to
catastrophic collapse, particularly when conditions change. In a
heterogeneous population of EHRs, the occasional failure of any given system
due to hidden bugs, vulnerabilities, hacking, or unexpected interactions
with the conditions of use would create major problems for individual
institutions or work systems (e.g., see RISKS-23.19, 23.81, 24.68, 25.45,
25.51, 26.25, 28.3) but its impact would be limited. However, if a large
proportion of systems all contain the same vulnerability ... what could
possibly go wrong? The original paper available at:
http://jamia.bmj.com/content/early/2014/10/23/amiajnl-2014-003023.abstract
Robert L Wears, University of Florida wears@ufl.edu 1-904-244-4405 (ass't)
Imperial College London r.wears@imperial.ac.uk +44 (0)791 015 2219
------------------------------
Date: Fri, 17 Oct 2014 09:46:10 -0700
From: "Bob Gezelter" <gezelter@rlgsc.com>
Subject: IoT as a Hazard (IaaH): Smart Meters prove vulnerable
It should not be surprising. While the Internet of Things (IoT) has great
promise, widely-deployed, connected devices are an attractive target for all
kinds of mischief. SecurityAffairs reports that Javier Vazquez Vidal and
Alberto Garcia Illera explored smart power meters used in Spain. They found
that they could be hacked, and exploited in a number of ways (e.g.,
transferring usage, reporting false data). The lack of integrity in such
devices also raises the possibility that large numbers of compromised
devices could be used to present a false picture to utility operators,
compromising the operation of the utility's production and transmission
facilities. A profoundly disturbing picture. Meters and other devices also
represent a potential privacy hazard to the individual. The full article
can be found at:
http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html
Bob Gezelter, http://www.rlgsc.com
------------------------------
Date: Sun, 5 Oct 2014 00:36:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers' Attack Cracked 10 Financial Firms in Major Assault (NYT)
Matthew Goldstein, Nicole Perlroth and David E. Sanger, *The New York Times*,
3 Oct 2014
The huge cyberattack on JPMorgan Chase that touched more than 83 million
households and businesses was one of the most serious computer intrusions
into an American corporation. But it could have been much worse.
Questions over who the hackers are and the approach of their attack concern
government and industry officials. Also troubling is that about nine other
financial institutions - a number that has not been previously reported -
were also infiltrated by the same group of overseas hackers, according to
people briefed on the matter. The hackers are thought to be operating from
Russia and appear to have at least loose connections with officials of the
Russian government, the people briefed on the matter said. ...
http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/
Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, NYT, 2 Oct 2014
JPMorgan Chase Hacking Affects 76 Million Households
Hackers' Attack Cracked 10 Financial Firms in Major Assault
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/
Ways to Protect Yourself After the JPMorgan Hacking
Tara Siegel Bernard, *The New York Times*, 3 Oct 2014
http://www.nytimes.com/2014/10/04/your-money/jpmorgan-chase-hack-ways-to-protect-yourself.html
------------------------------
Date: Wed, 8 Oct 2014 19:55:48 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cyberattack on JPMorgan Raises Alarms at White House and on Wall Strete
Other financial institutions -- Citigroup, E*Trade Financial and HSBC --
found that one of the same web addresses used to penetrate JPMorgan had
tried to get into their systems.
http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/
------------------------------
Date: Sat, 4 Oct 2014 23:35:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Unpatchable Malware That Infects USBs Is Now on the Loose
(Andy Greenberg)
Andy Greenberg, *WiReD*, 2 Oct 2014
It's been just two months since researcher Karsten Nohl demonstrated an
attack he called BadUSB to a standing-room-only crowd at the Black Hat
security conference in Las Vegas, showing that it's possible to corrupt any
USB device with insidious, undetectable malware. Given the severity of that
security problem-and the lack of any easy patch-Nohl has held back on
releasing the code he used to pull off the attack. But at least two of
Nohl's fellow researchers aren't waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last
week, researchers Adam Caudill and Brandon Wilson showed that they've
reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some
of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published
the code for those attacks on Github, raising the stakes for USB makers to
either fix the problem or leave hundreds of millions of users vulnerable. ...
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
------------------------------
Date: Wed, 1 Oct 2014 08:32:48 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: ComputerCOP: dubious "Internet Safety Software" given to US families
Ars via NNSquad
http://arstechnica.com/tech-policy/2014/10/computercop-the-dubious-internet-safety-software-given-to-families-nationwide/
Police chiefs, sheriffs, and district attorneys have handed out hundreds
of thousands of copies of the disc to parents for free at schools,
libraries, and community events, usually as a part of an "Internet Safety"
outreach initiative. (You can see the long list of ComputerCOP outlets
here.) The packaging typically features the agency's official seal and the
chief's portrait, with a signed message warning of the "dark and dangerous
off-ramps" of the Internet. As official as it looks, ComputerCOP is
actually just spyware, generally bought in bulk from a New York company
that appears to do nothing but market this software to local government
agencies using shady information. The way ComputerCOP works is neither
safe nor secure. It isn't particularly effective either, except for
generating positive PR for the law enforcement agencies distributing
it. As security software goes, we observed a product with a
keystroke-capturing function, also called a "keylogger," that could place
a family's personal information at extreme risk by transmitting those
keystoke logs over the Internet to third-party servers without
encryption. That means many versions of ComputerCOP leave children (and
their parents, guests, friends, and anyone using the affected computer)
exposed to the same predators, identity thieves, and bullies that police
claim the software protects against. Furthermore, by providing a free
keylogging program--software that operates without even the most basic
security safeguards--law enforcement agencies are passing around what
amounts to a spying tool that could easily be abused by people who want to
snoop on spouses, roommates, or co-workers.
------------------------------
Date: Thu, 9 Oct 2014 00:21:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: iOS 8.1 plugs security hole that made it easy to install emulators
(Kyle Orland)
Kyle Orland, Ars Technica, 8 Oct 2014
"Date trick" workaround allowed for unapproved apps without jailbreaking.
http://arstechnica.com/gaming/2014/10/ios-8-1-plugs-security-hole-that-made-it-easy-to-install-emulators/
------------------------------
Date: Thu, 02 Oct 2014 15:33:58 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Cisco, Oracle find dozens of their products affected by Shellshock"
(Lucian Constantin)
Lucian Constantin, Infoworld, 30 Sep 2014
Cisco, Oracle find dozens of their products affected by Shellshock
Cisco has identified 71 products vulnerable to Shellshock and Oracle
51, but the number is likely to increase
http://www.infoworld.com/article/2689356/security/cisco-oracle-find-dozens-of-their-products-affected-by-shellshock.html
------------------------------
Date: Tue, 14 Oct 2014 11:53:44 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Mayhem malware spreads through Linux servers via Shellshock exploits"
(Lucian Constantin)
Lucian Constantin, Infoworld, 10 Oct 2014
The botnet targets Web servers that haven't been patched for recent
vulnerabilities found in the Bash Linux shell
http://www.infoworld.com/article/2824494/security/mayhem-malware-spreads-through-linux-servers-via-shellshock-exploits.html
------------------------------
Date: Wed, 1 Oct 2014 13:37:03 +1000
From: Brett Mahar <brett@coiloptic.org>
Subject: Re: Bug in Bash shell creates big security hole on anything with
*nix in it (Weinstein, RISKS-28.29)
Not on OpenBSD, bash is not the shell, unless manually installed and
configured to be. Also, all network facing services are installed in chroot
by default, so even if bash was the made the default shell it would be
inaccessible.
------------------------------
Date: Oct 3, 2014 6:10 PM
From: David Lesher <wb8foz@panix.com>
Subject: Samsung printer sniffers (via Dave Farber)
I was planning on spec'ing a quantity of Samsung printers for a client. We
bought a sample. The Mac driver installed OK, but the Windows one had a very
disturbing message during installation: Samsung was going to sniff the
printer's output, to {of course} better serve the customer. [I paraphrase
slightly....]
Needless to say, I was far from pleased. I tried to disallow same during the
installation, but got no confirmation that it happened.
{I can guess Samsung does not sell many printers to either Ft. Meade or
Langley.}
I've tried to reach someone at Samsung's printer division but got nowhere;
Support does not see it as their potato, and Sales's voicemail said they
will call me Back Real Soon Now.
------------------------------
Date: Tue, 7 Oct 2014 18:12:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Twitter Sues U.S. Government Over Data Disclosure Rules
The social media giant wants to loosen restrictions on what it is allowed to
tell users about government information requests.
http://bits.blogs.nytimes.com/2014/10/07/twitter-sues-u-s-government-over-data-disclosure-rules/
------------------------------
Date: Wed, 8 Oct 2014 09:00:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Dozens of European ATMs rooted, allowing criminals to easily cash out
(Robert Lemos)
Robert Lemos, Ars Technica, 7 Oct 2014
Criminals with physical access to ATMs install malware to control flow of money.
Criminals are installing fairly sophisticated malicious programs on banks'
ATMs, allowing them to control access to the machines and easily steal cash,
security firms Kaspersky and Interpol said in a joint statement released on
Tuesday. ...
http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-criminals-to-easily-cash-out/
------------------------------
Date: Wed, 8 Oct 2014 09:08:15 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Using new Corvette's valet-recording tech could be a felony in
some states (Megan Geuss)
Megan Geuss, Ars Technica, 26 Sep 2014
GM is sending updated software to make Valet Mode less legally questionable.
http://arstechnica.com/tech-policy/2014/09/new-corvettes-valet-recording-tech-could-be-a-felony-in-12-states/
------------------------------
Date: Thu, 16 Oct 2014 21:00:43 -0400
From: Marc Rotenberg <rotenberg@epic.org>
Subject: "The Dark Market for Personal Data" (Frank Pasquale)
Frank Pasquale, *The New York Times* op-ed, 16 Oct 2014
http://www.nytimes.com/2014/10/17/opinion/the-dark-market-for-personal-data.html
The reputation business is exploding. Having eroded privacy for decades,
shady, poorly regulated data miners, brokers and resellers have now taken
creepy classification to a whole new level. They have created lists of
victims of sexual assault, and lists of people with sexually transmitted
diseases. Lists of people who have Alzheimer's, dementia and AIDS. Lists of
the impotent and the depressed.
There are lists of impulse buyers. Lists of suckers: gullible consumers who
have shown that they are susceptible to vulnerability-based marketing. And
lists of those deemed commercially undesirable because they live in or near
trailer parks or nursing homes. Not to mention lists of people who have been
accused of wrongdoing, even if they were not charged or convicted.
Typically sold at a few cents per name, the lists don't have to be
particularly reliable to attract eager buyers -- mostly marketers, but also,
increasingly, financial institutions vetting customers to guard against
fraud, and employers screening potential hires.
There are three problems with these lists. First, they are often
inaccurate. For example, as The Washington Post reported, an Arkansas woman
found her credit history and job prospects wrecked after she was mistakenly
listed as a methamphetamine dealer. It took her years to clear her name and
find a job.
Second, even when the information is accurate, many of the lists have no
business being in the hands of retailers, bosses or banks. Having a medical
condition, or having been a victim of a crime, is simply not relevant to
most employment or credit decisions.
Third, people aren't told they are on these lists, so they have no
opportunity to correct bad information. The Arkansas woman found out about
the inaccurate report only when she was denied a job. She was one of the
rare ones. [...]
Frank Pasquale, a professor of law at the University of Maryland, is the
author of the forthcoming book,T he Black Box Society: The Secret Algorithms
That Control Money and Information.
------------------------------
Date: Fri, 17 Oct 2014 14:33:51 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Patent trolls have one fewer legal loophole to hide behind"
(Simon Phipps)
It is nice to see the patent trolls having risks.
Simon Phipps, InfoWorld | 16 Oct 2014
With one subtle stroke, the Judicial Conference of the United States
retires an old rule -- and denies patent trolls a major weapon
http://www.infoworld.com/article/2834542/patents/rule-change-hits-trolls.html
------------------------------
Date: Fri, 3 Oct 2014 16:43:38 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The "he said, she said" of how the FBI found Silk Road's servers
http://arstechnica.com/tech-policy/2014/10/the-he-said-she-said-of-how-the-fbi-found-silk-roads-servers/
------------------------------
Date: Tue, 7 Oct 2014 10:28:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: New York City orders Bluetooth beacons in pay phones to come down
http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacons-in-pay-phones-to-come-down/
------------------------------
Date: Sun, 12 Oct 2014 08:31:45 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Seeing where the last taxi passenger went
On a recent ride from Washington Dulles airport (IAD) to my home in the
Virginia suburbs, the cab had an Android tablet mounted to the back of the
front-seat passenger seat, running an app that allowed you to see the
weather, driver information, etc. But the most interesting thing was that
it allowed you to enter your destination in Google Maps, which is useful for
drivers who may not know the area and/or whose English isn't the best.
A tool like this could be particularly useful if it allowed input in
multiple languages -- i.e., allow a Japanese visitor to enter their
destination in Japanese; similarly if such a thing were in a taxi in Japan,
it would be useful to allow an English-speaking visitor to enter their
destination in English. [Perhaps such things already exist; I haven't seen
one.]
However, the part that gave me slight pause was that in the destination
field, I could see the most recent half dozen destinations that cab had
gone, and there was no (obvious) way to clear destinations if I entered
mine.
At one level, this isn't a big deal -- if the cab had been on the street,
then the most recent destination was presumably near where I got it. On the
other hand, if the driver was being dispatched, the recent destinations
might be places where the driver had recently picked up passengers, and
hence likely empty homes.
One could also hypothesize interesting things one might learn -- if one sees
a politician getting out of a cab, one might be interested in where he/she
was coming from - i.e., from a lobbyist's office or a secret lover's
hideaway.
But all this depends on getting just the right timing - finding the right
person coming out of the cab, and getting in before another passenger.
Overall, I think the risk is low, but it might be surprising to taxi
customers that a future customer can find out where they went.
------------------------------
Date: Thu, 2 Oct 2014 17:07:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: JPMorgan Discovers Further Cyber Security Issues
The nation's largest bank recently found that hackers had gained entry to
some of its servers, say several people with knowledge of the investigation.
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/
------------------------------
Date: Mon, 13 Oct 2014 21:20:31 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: 7 million Dropbox username/password pairs apparently leaked
Ars via NNSquad
http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/
"Popular online locker service Dropbox appears to have been hacked. A
series of posts have been made to Pastebin purporting to contain login
credentials for hundreds of Dropbox accounts, with the poster claiming
that altogether 6,937,081 account credentials have been compromised.
Reddit users who have tested some of the leaked credentials have confirmed
that at least some of them work. Dropbox seems to have bulk reset all the
accounts listed in the Pastebin postings, though thus far other accounts
do not appear to have had their passwords reset. The hackers claim that
they will release more username/password pairs if they receive donations
to their bitcoin address."
It's like damned "Groundhog Day" ...
LATER Update: Dropbox is saying that this is not a hack per se, but rather a
cross-site shared password attack -- which of course can still cause
a lot of problems if you share your passwords between services and don't
have 2-factor authentication enabled. [NNSquad]
------------------------------
Date: Mon, 13 Oct 2014 21:27:35 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Russia's Sandworm Hack Spying on Foreign Governments for Years
Wired via NNSquad
http://www.wired.com/2014/10/russian-sandworm-hack-isight/
"A cyberespionage campaign believed to be based in Russia has been
targeting government leaders and institutions for nearly five years,
according to researchers with iSight Partners who have examined code used
in the attacks. The campaign, dubbed "Sandworm" is believed to have been
running since 2009, and used a wide-reaching zero-day exploit uncovered by
the researchers that affects nearly every version of the Windows operating
system released since Windows Vista."
[Also noted by Bob Gezelter]
http://www.isightpartners.com/2014/10/cve-2014-4114/=0A=0A- Bob Gezelter, http://www.rlgsc.com
------------------------------
Date: Fri, 10 Oct 2014 11:46:52 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google report on EU "right to be forgotten" requests
Google via NNSquad
http://www.google.com/transparencyreport/removals/europeprivacy/
European privacy requests for search removals. // Total URLs that Google has
evaluated for removal: 497,695 URLs // Total requests Google has received:
144,954 requests // 41.8% removal approval rate.
------------------------------
Date: Tue, 14 Oct 2014 17:58:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: This POODLE bites: exploiting the SSL 3.0 fallback
Google via NNSquad
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html
"Today we are publishing details of a vulnerability in the design of SSL
version 3.0. This vulnerability allows the plaintext of secure connections
to be calculated by a network attacker. I discovered this issue in
collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers). SSL
3.0 is nearly 15 years old, but support for it remains widespread. Most
importantly, nearly all browsers support it and, in order to work around
bugs in HTTPS servers, browsers will retry failed connections with older
protocol versions, including SSL 3.0. Because a network attacker can cause
connection failures, they can trigger the use of SSL 3.0 and then exploit
this issue."
[See also Kim Zetter, *WiReD*, 14 Oct 2014
<http://www.wired.com/2014/10/poodle-explained/> ]
------------------------------
Date: Fri, 24 Oct 2014 08:11:07 -0700
From: Jay Grizzard <elfchief@lupine.org>
Subject: Re: Firedrive and Cloudflare
The recent firedrive.com outage has triggered several messages to RISKS that
have pointed a finger at Cloudflare as a culpable party, because the IP
address for firedrive.com matches IP addresses also owned by
Cloudflare. While the latter is true (firedrive.com is in Cloudflare's IP
space), this does not actually imply Cloudflare involvement, complacency, or
responsibility.
Cloudflare is a Content Distribution Network (CDN). Basically, this means
that they host no data at all -- they sell distribution services, much the
same way a phone company does (though a better analogue might be an
answering service). Companies (like Firedrive) pay Cloudflare to proxy
incoming traffic for them, and cache the parts of that data that can be
cached, as a way to offload traffic from their own servers, and make their
websites more responsive to their users.
Blaming Cloudflare, in this case, is like blaming an answering service
because your doctor's office isn't picking up their phone. No matter how
much you beg, the answering service can't help you with that funny looking
mole you just discovered -- all they can do is pass on your requests, and
hope that your doctor responds.
Cloudflare is just an intermediary here.
The real risk (beyond the mis-attribution of problems) is the continued
belief that "the cloud" is some kind of magic sauce that relieves you of
responsibility for the safety of your data (i.e. keeping backups). Any given
cloud provider is a place you can store data, but cloud providers can fail,
just like physical media can. Storing your important data on a single cloud
provider is akin to storing your important data on a single hard drive. You
/probably/ won't have a failure that causes you to lose data, but cloud
providers (like hard drives) are fallible, and I seriously doubt that this
will be the last major failure of a cloud storage company.
------------------------------
Date: Fri, 24 Oct 2014 06:12:31 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: Firedrive has gone down taking millions of files with it
(Brady, RISKS-28.30)
Two words: "Erasure Code":
http://en.wikipedia.org/wiki/Erasure_code
"In information theory, an erasure code is a forward error correction (FEC)
code for the binary erasure channel, which transforms a message of k symbols
into a longer message (code word) with n symbols such that the original
message can be recovered from a subset of the n symbols"
Aka RAIC -- Redundant Array of Independent Clouds
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.31
************************
