[27749] in RISKS Forum
Risks Digest 28.72
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Mon Jun 22 18:01:32 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Mon, 22 Jun 2015 15:01:28 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Monday 22 June 2015 Volume 28 : Issue 72
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.72.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: [Possible Seasonal Slowdown Begins]
Polish airline LOT hacked, flights suspended for hours (Michal Rosa)
8 Indicted in Identity Thefts of Patients at Montefiore Medical Center
(NYT via Monty Solomon)
US agency plundered by Chinese hackers made one of the dumbest
security moves possible (Business Insider)
Australia passes controversial anti-piracy web censorship law (Ars Technica)
Reason.com hit with federal subpoena to identify online commenters
(Steve Golson)
"Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" (WiReD)
Michael Bacon <michaelbacon@tiscali.co.uk>
The Titanic and the Ark -- Re: pension org phished (Michael Bacon)
Re: L.A. plans potentially disastrous switch to "electronic" voting
(Steve Lamont)
Subject: Re: Major League Baseball cancels 60 million all-star votes
(Harlan Rosenthal, RISKS-28.71)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 21 Jun 2015 23:01:49 +0000
From: "Rosa, Michal" <michal.rosa@hp.com>
Subject: Polish airline LOT hacked, flights suspended for hours notsp
A number of flights operated by the Polish national airline LOT were
grounded on Sunday, June 22 as the unknown hackers gained access to LOT's
computers.
According to the official communique the computers were attacked in a way
which made impossible to print flight plans for airliners departing from
Warsaw. According to LOT there was no danger to any of the aircraft already
in the air, the only thing the attack prevented was creation and printing of
flight plans for regular flights departing from Warsaw. LOT has informed
about the problem at 4pm on Sunday and the problem was apparently resolved
by 8.45 pm. At the moment no other details are know.
http://niebezpiecznik.pl/post/komputery-lot-u-zaatakowane-samoloty-uziemione/ - link in Polish only, sorry.
------------------------------
Date: Mon, 22 Jun 2015 02:10:25 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 8 Indicted in Identity Thefts of Patients at Montefiore Medical Center
A hospital employee and seven others were indicted on Friday on charges of
stealing the personal information of as many as 12,000 patients.
http://www.nytimes.com/2015/06/20/nyregion/8-indicted-in-identity-thefts-of-patients-at-montefioremedical-center.html
------------------------------
Date: Sat, 20 Jun 2015 20:30:37 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: US agency plundered by Chinese hackers made one of the dumbest
security moves possible (Re: RISKS-28.69,71)
http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6
Contractors in Argentina and China were given "direct access to every row
of data in every database" when they were hired by the Office of Personnel
Management (OPM) to manage the personnel records of more than 14 million
federal employees, a federal consultant told ArsTechnica.
[See also, from Monty Solomon: Undetected for nearly a year, Chinese
intruders executed a sophisticated hack that gave them administrator
privileges in government networks. Their ultimate target: information on
anyone seeking a security clearance.
http://www.nytimes.com/2015/06/21/us/attack-gave-chinese-hackers-privileged-access-to-us-systems.html
PGN]
------------------------------
Date: Mon, 22 Jun 2015 07:29:56 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Australia passes controversial anti-piracy web censorship law (Ars)
Ars via NNSquad
http://arstechnica.co.uk/tech-policy/2015/06/australia-passes-controversial-anti-piracy-web-censorship-law/
As well as being based on a false premise, the new law will also be
ineffectual, since Australians can simply use to web proxies and VPNs to
circumvent any blocks that are imposed. This has raised the fear that the
courts will go on to apply the new law to VPN providers, although
Australia's Communications Minister Malcolm Turnbull has insisted this
won't happen. According to TorrentFreak, last week Turnbull said: "VPNs
have a wide range of legitimate purposes, not least of which is the
preservation of privacy--something which every citizen is entitled to
secure for themselves--and [VPN providers] have no oversight, control or
influence over their customers' activities." If Turnbull sticks to that
view, it is likely that Australians will turn increasingly to VPNs to
nullify the new law.
------------------------------
Date: Sat, 20 Jun 2015 14:13:35 -0400
From: Steve Golson <sgolson@trilobyte.com>
Subject: Reason.com hit with federal subpoena to identify online commenters
Reason.com, a leading libertarian website affiliated with Reason magazine,
received a federal grand jury subpoena compelling them to identify anonymous
commenters. The subpoena included a gag order so Reason.com could not talk
about it. Until now:
http://reason.com/blog/2015/06/19/government-stifles-speech
http://popehat.com/2015/06/08/department-of-justice-uses-grand-jury-subpoena-to-identify-anonymous-commenters-on-a-silk-road-post-at-reason-com/
http://popehat.com/2015/06/11/media-coverage-of-the-reason-debacle/
But Reason.com is not the dark web. Many of our regular commenters
voluntarily display either personal website information or their email
addresses. In fact, three of the six commenters subject to this very
subpoena voluntarily displayed public links to personal blogs at Blogger
as part of their comments, one of which further links to a Google+ page.
Raising the question: How can the government view these so-called
"threats" as so nefarious when people posted them in such a non-anonymous
fashion?
------------------------------
Date: Sat, 20 Jun 2015 16:54:40 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory"
http://www.wired.com/2015/06/facebook-real-name-policy-problems/
"TWO WEEKS AGO, Facebook locked me out of my profile. My photos and
friends are gone, my profile vanished without a trace. Someone reported
my account as pseudonymous, and Facebook kicked me out. To get back in, I
must provide various forms of identification proving the authenticity of
my username. I'm not going to. I am one of many casualties of Facebook's
recently rejiggered "authentic name" policy, wherein anonymous users can
report a name as fake and trigger a verification process. Part of the
motivation is stopping the proliferation of celebrity imposter accounts
and profiles made for pets. But it's also allowed Facebook to shutter the
accounts of real people, based on "authenticity." What does "authentic"
mean, though? It's both confusing and contextual, because identity itself
is confusing and contextual."
Yet another difference with Google. When they realized that the entire "real
name" paradigm just didn't work out well for users in Google+, Google
actually learned from this and moved beyond it to an open naming model. In
contrast, Facebook just keeps repeating its own mistakes again, and again,
and again ...
[FaRcebook with R for Repeat? PGN]
------------------------------
Date: Sat, 20 Jun 2015 13:17:38 +0100
From: Michael Bacon <michaelbacon@tiscali.co.uk>
Subject: The Titanic and the Ark
(was: Japanese pension organization phished ... (Macintyre RISKS- 28.67)
"... very few employers seem interested in factoring [IT certifications]
into their hiring process."
Over many years I have interviewed prospective employees for a variety of
roles, from screen-watchers in a SOC to top-flight consultants in 'Big Six'
practices. A great many have adduced certificates of competency in IT and
IT/Information Security. Few have stood my scrutiny.
I have seen candidates with CISSP after their name who had zero trade
experience; I have seen CISAs who couldn't audit their way out of a paper
bag; I have seen people with a "practitioner" certificate whose acquired
knowledge is useless in practice; and I have shown the door to those with a
plethora of Microsoft, Cisco and other manufacturer certifications who
couldn't explain what the first letter in SFTP, SSH, SHTTP meant, let alone
how it worked.
In short, I have never put much store by certificates, but a lot on
real-world, nose-to-the-grindstone, ear-to-the-ground, demonstrable
experience, ideally with a major cock-up in their past from which they have
learned major lessons.
As a consequence, I have recruited great people who were logical in thought,
thorough in approach, and tenacious in execution, and who have gone on to
have great careers. But not one of the best I could name had any
certificate to back up the skills I hired them for.
The Ark was built by one man with no qualifications, the Titanic by people
with certificates.
------------------------------
Date: Sat, 20 Jun 2015 15:07:04 -0700
From: spl@tirebiter.org (Steve Lamont)
Subject: Re: L.A. plans potentially disastrous switch to "electronic" voting
Here's the problem: our election system is *already* hacked and has been for
decades. It seems perversely (and perhaps intentionally) designed to keep
all but the most fervent partisans from voting, especially in off-year
elections, where most of the mischief seems to now occur.
News archives are replete with tales of voters standing for hours in
enormously long lines, waiting for the chance to exercise their franchise.
Shortages of paper ballots are frequent. And, now, of course, states seem
to be intent upon erecting further roadblocks to voting through voter ID
laws, which "solve" the largely non-existent problem of voter fraud.
And we wonder why voter turnout becomes progressively worse each election
and why all too often elections are decided by a few zealots, resulting in
the warped Congress and Senate currently installed in Washington, DC. (and
that includes members of *both* parties, mind you).
Now I'm not necessarily advocating electronic voting and certainly not
Internet voting, given the current state of the technology, but perhaps the
time has come for the technologists and security mavens reading this list to
go beyond mere nay-saying and skepticism and come up with verifiable,
auditable solutions that make voting as easy as, say, ordering a new gadget
from Amazon.
------------------------------
Date: Sun, 21 Jun 2015 07:13:38 -0500 (CDT)
From: Harlan Rosenthal <harlan.rosenthal@verizon.net>
Subject: Re: Major League Baseball cancels 60 million all-star votes
(RISKS-28.71)
Look on the bright side: at least the risks were made obvious and apparent
in a vote that has enough importance for people to care (and for publicity),
but less importance than a real governmental vote.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.72
************************
