[27740] in RISKS Forum
Risks Digest 28.71
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Jun 20 04:51:28 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 20 Jun 2015 1:51:24 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 20 June 2015 Volume 28 : Issue 71
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.71.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Major League Baseball cancels 60 million all-star votes (PGN)
L.A. plans potentially disastrous switch to "electronic" voting (Ars)
No ticket with a long name (Debora Weber-Wulff)
UN: Encryption a Fundamental Right (Eric Burger)
Samsung Keyboard Security Risk - 600M+ devices affected (NowSecure)
Payments to RBS customers missing (Richard I Cook)
Shooting over cellphone: case is 'extreme', say police (CBC News)
Heinz says sorry for ketchup QR code that links to porn site (Appy-geek)
Zero-day exploit lets App Store malware steal OS X and iOS passwords
(Glenn Fleishman)
Don't pay your bills all at once (paul wallich)
Officials say security lapses left OMB system open to hackers (PGN)
Re: Report: Russia, China Crack Snowden Docs (William Brodie-Tyrrell)
Liars trust cheaters, Re: sex, lies, debt exposed by OPM (Mark E. Smith)
OPM: Gone Phishing: Shoot the Wounded (Lisa Rein via Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 20 Jun 2015 02:27:50 -0400
From: Peter G Neumann
Subject: Major League Baseball cancels 60 million all-star votes
We've long been suggesting in RISKS that Internet Voting was an inherently
BAD IDEA. Now the folks who run the the so-called American Pastime at the
top professional level may have decided that Internet Voting is really the
American PastTime, although many of us think it is not past time -- it is
NOT READY for prime time, and perhaps never will be, for elections of any
real importance.
http://bleacherreport.com/articles/2500903-mlb-cancels-more-than-60-million-all-star-votes-for-fear-of-improper-voting
By the way, apologies for letting "Armenia loses Internet access" slip
through in the previous issue. That item from 2011 was really past time.
------------------------------
Date: Sat, 13 Jun 2015 08:33:46 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: L.A. plans potentially disastrous switch to "electronic" voting
L.A. plans potentially disastrous switch to "electronic" voting
Ars Technica
http://arstechnica.com/tech-policy/2015/06/los-angeles-county-moves-to-open-source-voting-technology/
The county is also considering a number of customizable options to bolster
voter turnout, which has suffered in recent years. Along with the new
system, it plans to introduce a "poll pass," which allows users to
pre-mark their votes using their phone, tablet, or desktop and scan them
with a QR code at their polling place. Logan said the new system is
designed to let users vote anywhere in the county, rather than at a
designated polling station. He hopes to broaden the 7:00am to 8:00pm
voting window to a multi-day "voting period," during which a limited
number of stations would be open prior to the election. There's even talk
of an electronic equivalent to absentee voting--if and when the law
permits.
Open source is not a panacea. So much here and planned that could go so very
wrong. They never learn. Note the part about "electronic" absentee
voting. Given how large the absentee voter population is in L.A., this
almost certainly means the disaster of Internet voting.
------------------------------
Date: Fri, 19 Jun 2015 17:22:53 +0200
From: Prof. Dr. Debora Weber-Wulff <weberwu@htw-berlin.de>
Subject: No ticket with a long name
The Swiss newspaper "20 Minuten" (20 minutes) reports that a Swiss woman of
Portuguese descent tried to purchase airline tickets online with the portal
Edreams.ch. She was informed a few days later that the tickets were
rejected by the airline Swiss because her name of 32 characters was too long
- Swiss only accept 28.
http://www.20min.ch/schweiz/romandie/story/Name-zu-lang---Flugticket-storniert-20762253
Portuguese and Spanish names are quite long, as there is one from the
mother's side and one from the father's side traditionally. Swiss pointed
out that it was edreams fault - they should have asked the customer how she
wanted to abbreviate her name. In the meantime, she was able to buy tickets
from another airline with no length restriction on names -- but at a higher
price.
HTW Berlin, Studiengang IMI,Treskowallee 8, 10313 Berlin +49-30-5019-2320
weberwu@htw-berlin.de http://www.f4.htw-berlin.de/people/weberwu/
------------------------------
Date: Jun 16, 2015 3:15 PM
From: "Eric Burger" <eburger@standardstrack.com>
Subject: UN: Encryption a Fundamental Right
[via Dave Farbert]
On Wednesday, Special Rapporteur on freedom of opinion and expression David
Kaye will present his report on international legal protection for
encryption and anonymity to the United Nations Human Rights Council. The
report is an important contribution to the security conversation at a time
when some Western leaders are calling for ill-informed and impossible
loopholes in technology--a trend that facilitates surveillance and tends to
enable states that openly seek to repress journalists.
http://cpj.org/blog/2015/06/un-report-promotes-encryption-as-fundamental-and-p.php
http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-getting-wrong-about-encryption/
http://www.theguardian.com/commentisfree/2015/jan/13/cameron-ban-encryption-digital-britain-online-shopping-banking-messaging-terror
http://cpj.org/blog/2015/01/classifying-media-and-encryption-as-a-threat-is-da.php
http://cpj.org/blog/2015/04/when-it-comes-to-great-firewall-attacks-https-is-g.php
http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx
------------------------------
Date: Tue, 16 Jun 2015 18:55:50 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Samsung Keyboard Security Risk - 600M+ devices affected
NowSecure via NNSquad
https://www.nowsecure.com/keyboard-vulnerability/
Over 600 million Samsung mobile device users have been affected by a
significant security risk on leading Samsung models, including the
recently released Galaxy S6. The risk comes from a pre-installed keyboard
that allows an attacker to remotely execute code as a privileged (system)
user ... While Samsung began providing a patch to mobile network operators
in early 2015, it is unknown if the carriers have provided the patch to
the devices on their network. In addition, it is difficult to determine
how many mobile device users remain vulnerable, given the devices models
and number of network operators globally.
------------------------------
Date: Wed, 17 Jun 2015 14:44:01 +0200
From: Richard I Cook MD <ricookmd@gmail.com>
Subject: Payments to RBS customers missing
About 600,000 payments expected by customers of the RBS group of banks
have failed to enter accounts overnight, the bank has admitted. Payments
including tax credits and disability living allowance are among the payments
that have failed to be credited to accounts. [...] it had now identified
and fixed the underlying problem. However, it is an embarrassment for the
group which was fined 56M pounds by regulators after a 2012 software issue
left millions of customers unable to access accounts. RBS, NatWest, and
Ulster Bank customers were affected in June 2012 after problems with a
software upgrade. RBS said had invested hundreds of millions of pounds to
improve its computer systems since then.
http://www.bbc.com/news/business-33162855 =
------------------------------
Date: Tue, 16 Jun 2015 23:27:33 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Shooting over cellphone: case is 'extreme', say police (CBC News)
The shooting death of an 18-year-old man trying to retrieve his lost
smartphone highlights the risks of using mobile-tracking app, say police.
Jeremy Cook, a native of Brampton, Ont., was gunned down at about 5:15
a.m. ET on Sunday. London police found his body at the rear of a strip mall
near Huron Street and Highbury Avenue in the city's north end. He had
multiple gunshot wounds.
Cook had left his smartphone in a taxi and traced it electronically to an
address on Highbury Avenue.
When he and a relative went to the address, he was confronted by three men
in a car, Steeves told CBC News.
http://www.cbc.ca/news/canada/toronto/shooting-over-cellphone-case-is-extreme-say-police-1.3115069
------------------------------
Date: Fri, 19 Jun 2015 08:20:46 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Heinz says sorry for ketchup QR code that links to porn site
Appy-geek via NNSquad
http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleid=43584144&source=3Dgoogleplus
The QR code linked to a URL used for the "Spread the word with Heinz"
competition between 2012 and 2014. Heinz allowed the domain name
"sagsmithheinz.de" to lapse after the competition closed, which was
subsequently purchased by a purveyor of German adult entertainment.
The right way to have done this, of course, would have been to have the QR
code point at some URL within the permanent Heinz domain and redirect to the
promotion site. Then when the promotion ends you could change the redirect
to something still sensible. But hey, that takes forethought.
------------------------------
Date: Thu, 18 Jun 2015 12:16:35 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Zero-day exploit lets App Store malware steal OS X and iOS passwords
(Glenn Fleishman)
Glenn Fleishman, Macworld, 18 Jun 2015
Researchers discover an exploit that lets OS X and iOS malware in the
App Store steal passwords and app data, as well as hijack session tokens
http://www.infoworld.com/article/2937241/security/zero-day-exploit-lets-app-store-malware-steal-os-x-and-ios-passwords.html
------------------------------
Date: Thu, 18 Jun 2015 11:47:35 -0400
From: paul wallich <pw@panix.com>
Subject: Don't pay your bills all at once
Early this morning my spouse texted me from the airport to let me know that
our credit card had been declined just as she was leaving for a trip. Turns
out there was "suspicious activity" on the card last night, and the
fraud-control folks had put a hold on it. The suspicious transactions: one
small purchase from an online retailer we use often, and three $100-plus
payments over the course of 30 minutes to what turned out to be the local
cable company, electric company and a mobile phone provider.
In other words, my spouse had been financially diligent and made sure all
our current bills were paid before leaving town.
This is by no means intended to ridicule the credit-card company and its
fraud-detection algorithms. The transactions (except, perhaps for the
payees) do fit the common fraud pattern of one small test purchase and then
a bunch of big-ticket ones. And it took less than 10 minutes on the phone to
clear the problem up. But. It did make me think about how vulnerable our
current payment infrastructure is, and about the reversal of roles that has
occurred. Compromised accounts have become so common that, instead of
fraudsters trying to avoid detection, it's the job of legitimate customers
to figure out how not to be mistaken for crooks.
------------------------------
Date: Wed, 17 Jun 2015 9:16:51 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Officials say security lapses left OMB system open to hackers
http://bigstory.ap.org/article/d81b464390c34ab293e0abb3cccd4fcc/officials-say-security-lapses-left-system-open-hackers
[The information was indeed very sensitive. WHY was it on the Web? PGN]
------------------------------
Date: Wed, 17 Jun 2015 09:19:15 +0930
From: William Brodie-Tyrrell <william@brodie-tyrrell.org>
Subject: Re: Report: Russia, China Crack Snowden Docs (RISKS-28.70)
There is also significant risk in "journalists" publishing the
uncorroborated assertions of anonymous government officials who have a
direct interest in smearing people:
https://firstlook.org/theintercept/2015/06/14/sunday-times-report-snowden-files-journalism-worst-also-filled-falsehoods/
------------------------------
Date: Wed, 17 Jun 2015 09:03:54 +0800
From: "Mark E. Smith" <mymark@gmail.com>
Subject: Liars trust cheaters
Re: Sex, lies and debt potentially exposed by OPM data hack
Had the retired officer disclosed to the government that he'd been cheating
on his taxes rather than cheating on his wife for twenty years (but later
paid up), would he have still gotten his security clearance?
------------------------------
Date: Thu, 18 Jun 2015 14:21:26 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: OPM: Gone Phishing: Shoot the Wounded
FYI -- OPM sent 750k e-mails to notify Fed employees & asked that *they
click on a link* to sign up for credit monitoring and other protections.
Isn't that how we got here in the first place?
[Of course, whoever stole the OPM data just did a facepalm and is now
thinking: "why didn't I think of that?"]
Lisa Rein, *WashPost*, 18 June 2015
Reacting to Chinese hack, the government may not have followed its own
cybersecurity rules
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/reacting-to-chinese-hack-the-government-may-not-have-followed-its-own-cybersecurity-rules/
In responding to China's massive hack of federal personnel data, the
government may have run afoul of computer security again.
Over the last nine days, the Office of Personnel Management has sent e-mail
notices to hundreds of thousands of federal employees to notify them of the
breach and recommend that they click on a link to a private contractor's Web
site to sign up for credit monitoring and other protections.
But those e-mails have been met with increasing alarm by employees -- along
with retirees and former employees with personal data at risk -- who worry
that the communications may be a form of spear phishing used by adversaries
to penetrate sensitive government computer systems.
After the Defense Department raised a red flag about the e-mails its 750,000
civilian employees were starting to receive, OPM officials said late
Wednesday that the government had suspended its electronic notifications
this week.
``We've seen such distrust and concerns about phishing,'' OPM spokesman Sam
Schumach acknowledged, describing the feedback from many of the 4.2 million
current and former employees who are being notified that personnel files
containing their Social Security numbers, addresses and other personal
information may have been stolen.
Computer experts said the personnel agency -- already under fire from
lawmakers from both parties for failing to protect sensitive databases from
hackers -- could be putting federal systems in jeopardy again by asking
employees to click on links in the e-mails.
``There's a risk that you desensitize people by telling them that
occasionally, there's going to be a very important email you have to click
on,'' said Joseph Lorenzo Hall, chief technologist at the Center for
Democracy & Technology. He called OPM's first round of e-mail transmissions
the equivalent of ``sending a postcard to people saying gee, you just got
hacked, go to this website. The hackers could wise up and send their own set
of fake identity protection e-mails and get into your computers all over
again.''
That's precisely what worried top Defense officials before the chief
information officer of the government's largest agency told OPM last week to
suspend the notifications because they disregarded basic cybersecurity
training that's crucial to ensuring the safety of military networks: Never
click on unfamiliar links, attachments or e-mail addresses because they
expose employees to spear phishing attacks.
Defense offices across the country posted a bulletin in their internal
communication networks from CIO Terry Halvorsen that said OPM was
``suspending notification to DoD personnel that their [Personal Identifying
Information] may have been breached until an improved, more secure
notification and response process can be put in place.'' [...]
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.71
************************
