Update on RISKS-26.40: Some municipalities were lucky in that the system integrator who supplied the computer system and offer maintenance services have backups which were still safe and so the bulk of the information could be saved (but the latest update, new births, and deaths, people moving out and moving in, etc. are not reflected in the backup.) Geographical diversity of locations to keep backups are often discussed in computer security. How far is a good question. Japan experiences so many earthquakes and there are so many fault lines (known and unknowns), I feel it is not easy to figure out where important backups should be kept. Trying to come up with a candidate location is almost like trying to figure out which disks in RAID configuration is less likely to experience external hazards. Now, government shall think of keeping backups in duplicate or even triplicate in many corners of Japan. I am not kidding here. The after-shocks from the big earthquake still continues and there have been rather large ones in the last 48 hours or so. In the lucky cases, some backups were found in the offices of system integrators not affected by the disaster, and some are also duplicated at the national government offices. But some municipalities are not so lucky. So, re-creating database for citizens is required. The situation is a real-world exercise of web of trust, so to speak. Some fundamental issues regarding IDs are being asked and temporarily solved at this moment. First of all, in some areas, the government offices and people who manned them simply disappeared. (I have absolutely no idea how things will be handled there. But national government is trying to build a new temporary ID system. How do people establish their IDs? If enough number of neighbors say he/she is what the person claims to be, will that be enough? ) A few municipalities, which still have some paper records, resort to issuing ID paper based on the declaration of the name, address, birth date, and such at make-shift counter when people come and ask for such ID papers so that anything that requires ID papers (including application for emergency assistance, etc.) will not be hindered by the lack of ID papers. Presumably if the declared data don't match, ID will not be issued, but what about old people who needs assistance even come to the office and can't speak up or even is hard of hearing. I can see some trouble here. The national government is trying to establish a temporary registration system for the evacuees, some of who have lost every ID papers, and nowhere to live except for the shelters right now. If they leave the current place to move to other areas, they still need to record their movement. Otherwise it would be difficult for them to receive fund from the national emergency aid later. The goodwill of people should make this attempt succeed, but I see many risks of abuse by the people with bad intention, too. ID theft in its worst form can happen. The balance of the rigor of checking and swiftness to issue IDs is requested. We shall see if the temporary system works. PS: On TV, I saw a disk data salvaging company offering special service to the people who lost their family members and all their memories are digital photos in their computers (and backup disks) that are submerged in the sea water after tsunami struck. The sheer number of such disks on a rack is mind boggling. Back in the 1990's, I read that an executive of a large disk company predicted that the biggest problems ahead with emerging large disk capacity is not that of corporate data getting lost. A person comes into a computer shop and says that the only nice photo he/she has of the grandmother who passed away lately is in this malfunctioning disk and asked if the shop can recover it. That is the problem, the executive said. The prediction has come true in grand scale. (Of course, the executive assumed that corporations have backup procedures in place. But many companies have lost their financial data both in print and disks, and even backups last month.) PPS: The bottom line here is that backups kept in the same region (not in the same office, or cities, even) was not good enough in a situation where a shoreline extending few hundred kilometers were devastated by tsunami. I hate to bring up this expression in an international forum where different religions are practiced, but I think the English phrase of biblical proportion is an apt one here. PPPS: Yes, this is the first time I experienced the phrase in many contracts that will void them based on the "acts of god, .., mother nature, ..., etc." came into effect. The office where I work experienced several such cancellations resulting a large loss of money on our end. But I digress.
> Will they never learn? No, I don't think so. We actually did have a means of redundancy for where GPS didn't work or wasn't available. It's called Loran, but because GPS was so much cheaper to have around, and most users were no longer depending on Loran, it was decided to save money by choosing to deprecate it and discontinue its operation... On a related note, the Chief of the San Francisco Fire Department has had to depend upon having a fireboat in the harbor on constant readiness in case of earthquake or other disaster disrupting the underground water supply to fire hydrants. The relevance of this security practice was made clear when the 1989 Loma Prieta earthquake made the fireboat pumping seawater to fire equipment the only reliable means to fight fires; the water supply to the hydrant system, as expected, was unavailable due to water main breaks from the earthquake. Literally every time there is a budget crisis, the Chief has to justify to the city's Board of Supervisors about the necessity of keeping a fireboat on immediate standby, and is always chronically asked if they really need to spend money to keep it in a state of constant readiness. The Lessons of history teach us - if they teach us anything - that no one learns the lessons that history teaches us.
Oak Ridge National Labs (one of the big US energy research labs, along with Sandia, Livermore, Los Alamos, etc) suffered loss of some amount of data, due to a spear phishing attack. "The attacks were launched through phishing e-mails that were sent to some 573 lab employees. The e-mails were disguised to appear like it came from the lab's HR department and purported to inform employees of some benefits related changes." Clicking on a link opened a page that silently installed malware through a vulnerability in Internet Explorer that was patched earlier in the week. The interesting part was that they disclosed that of the 500+ employees who received the e-mail, 57 clicked on the link. (Different reports give several different numbers of users who received the link, but all in the 500-600 range.) To me, the surprising part is that so *few* clicked on the link. Many of us regularly receive e-mails from our employers telling us to click on links to do various things, including signing up for benefits (as the Oak Ridge example), fill out timecards, access paystubs, etc. Employers, IMHO, significantly contribute to the problem, because they train their employees to click on links and are then surprised when they fall victim to spear phishing attacks. Of course the real problem is that clicking on a link shouldn't put us in mortal danger! Blaming the user who clicks on the link, or trying to train them not to do it, is a losing proposition. http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/ http://www.computerworld.com/s/article/9215962/Oak_Ridge_National_Lab_shuts_down_Internet_email_after_cyberattack I've also written about the relevance of this attack to Internet voting on the Freedom-To-Tinker blog at http://www.freedom-to-tinker.com/blog/jeremyepstein/oak-ridge-spear-phishing-and-i-voting
It turns out the majority of the entrance exams recently conducted (the last several years), anything from entrance to the police academy to entrance to universities have been coded. That is, the multiple choice answers were not random, but used some simple patterns that have no doubt been whispered into the ears of the selected few that were meant to be admitted. Among the several patterns that have been determined, one pattern that I read about was: "Reorder the choices from the smallest to the largest value. The choice that does NOT move from the original list, is the right answer. For example, the answers to some question could be: a)500 b)700 c)400 d)100 e)200 reorder it: a)100 b)200 c)400 e)500 e)700 hence, (c) must be the right answer." Using this method, they were able to answer more than 75% of the university entrance exam. The state-appointed directors that created these exams have denied any wrongdoing and that the "computer" must be at fault, as usual. The discoverer of the method said that this was done to infiltrate more people with religious upbringing into governmental layers. There is a great uproar in Turkey, and the media is having a field day with it—rightly so considering how hard these entrance exams are and for how many years kids have to study to be able to go to a decent school in Turkey. However, the government officials said they are satisfied that this has been a misunderstanding, or a simple coincidence.
Poul-Henning Kamp writes an article arguing that leap second handling poses an increasing risk to safety-critical systems. http://queue.acm.org/detail.cfm?id=1967009, The argumentation is roughly as follows: 1) Current earth models cannot predict insertion of leap seconds more than approx. 6 months in advance. 2) This means that computer systems' leap-second handling must be adjusted manually at short notice whenever a leap second is inserted. 3) This causes problems for more and more distributed systems that require an exactly coordinated interpretation of time. 4) The frequency of leap seconds will increase as the difference between atomic time and earth rotation increases quadratically with wall-clock time making the problem of 3) even worse. QED. The RISK of malfunctioning systems will increase. Of course, PHK suggests remedies, however, his paper and the subsequent online discussion is hardly cause for optimism. [Of course, distributed systems that are designed to be synchronized to the leap-second are seemingly unrealistic in the first place, considering satellite delays, wire delays, etc. PGN]
Obama admin to Congress: Please don't protect Americans' e-mail in the cloud http://j.mp/fnt4XW (Wired) The Obama administration is urging Congress not to adopt legislation that would impose constitutional safeguards on Americans' e-mail stored in the cloud. As the law stands now, the authorities may obtain cloud e-mail without a warrant if it is older than 180 days, thanks to the Electronic Communications Privacy Act adopted in 1986. At that time, e-mail left on a third-party server for six months was considered to be abandoned, and thus enjoyed less privacy protection. However, the law demands warrants for the authorities to seize e-mail from a person's hard drive.
McAfee and CSIS Report Reveals Dramatic Increase in Cyberattacks and Sabotage on Critical Infrastructure Yet Organizations Remain Unprepared [McAfee Press Release] http://www.mcafee.com/us/about/news/2011/q2/20110419-01.aspx http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf
"SENSITIVE UK DOCUMENTS revealing how to cause a Fukushima-style reactor meltdown on a nuclear submarine have been posted on the Internet." "Instead of omitting the sensitive text, the geniuses at the Ministry of Defence simply turned the background behind the letters black. They appeared unreadable, but the words only needed to be copied and pasted into a new document to view them in full." (How many times must we repeat the same mistakes?) http://www.theinquirer.net/inquirer/news/2044198/nuclear-submarine-documents-leaked [Once again to the FORE (or AFT, in this case). PGN]
Gregg Keizer, Skype for Android leaks user data; Users should remove the app from their Android smartphones until Skype fixes it, says security researcher, *Computerworld*, 18 Apr 2011 http://www.infoworld.com/d/mobile-technology/skype-android-leaks-user-data-186 A flaw in Skype for Android could let criminals harvest private information from smartphones, including the user's name and e-mail address, contacts, and chat logs, the Internet calling software maker confirmed Friday. One security researcher called it "sloppy coding" and a "disrespect for your privacy." Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the handset. The files contain a wealth of information about the Skype account and the smartphone's owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts. "Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them," said Case. "Not only are they accessible, but [they're] completely unencrypted." Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
[Network Neutrality Squad] http://j.mp/g5fxp9 (CSM) "Moscow Russia's biggest social network and its top opposition newspaper have been knocked out by massive hacker attacks over the past week, leading some nervous bloggers to suggest that security services may be testing techniques for shutting down the country's freewheeling Internet in the event of a crisis. The list of victims crying foul after the wave of direct denial of service (DDoS) attacks started hitting Russia's LiveJournal site, which has 4.7 million users, include President Dmitry Medvedev. Mr. Medvedev demanded a police inquiry Thursday after his blog on the site was shut down in the online strike." [Source: Fred Weir, *Christian Science Monitor*, 8 Apr 2011] http://www.csmonitor.com/World/Europe/2011/0408/Massive-Russian-hacker-attack-threatens-freewheeling-Ru.net Without any additional info, I'll simply point out that while it's certainly *possible* this was some sort of state-sponsored "test" attack, it's also quite possible that it was completely unrelated hacking. Contrary to what the article implies, it does *not* necessarily require vast financial resources to conduct such an attack, and there are certainly folks out there with the capability of such botnet-based actions who might do so just for "fun" or bragging rights. So without specific evidence, blaming the government, as attractive as that may be given their recent crackdowns, may still be premature. Network Neutrality Squad: http://www.nnsquad.org http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com
[From Network Neutrality Squad] "If service providers are required to store your password(s) for 12 months, this will make data loss events even more tragic. For the providers to surrender your password to the police or other government authorities, they must either store your password in plain text, or in some reversible hashing algorithm. The recent SQL injection attack against MySQL/Sun/Oracle disclosed some database passwords that were stored using one-way hashing. Some of these were still able to be brute-force attacked and their plain text determined, but it took some effort. Imagine what could have happened. . . If all businesses doing transactions in France must record your password for every login this will surely lead to the passwords being stored on Internet-facing computers, ripe for the picking by cybercriminals." http://j.mp/f2pk1D (Sophos) A requirement for storing plaintext passwords, or passwords "encrypted" in such a way that the original password can be recovered, seems like a law written by criminals for criminals. The potential for disaster, keeping in mind how often many people tend to use the same password for multiple services, is immense. This is another example of the strange duplicity within the EU (well, here in the U.S. as well) when it comes to privacy. On one hand, we have governments slamming Google for useful Street View and harmless accidental capture of data from open Wi-Fi networks, but at the same time implementing draconian data retention requirements that carry genuine risks for serious damage to their citizens. Network Neutrality Squad: http://www.nnsquad.org http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com
Express Emulators [From Dave Farber's IP] Apple AirPlay Private Key Exposed, Opening Door to AirPort Express Emulators Monday April 11, 2011 02:39 AM EST Written by Arnold Kim <http://www.macrumors.com/2011/04/11/apple-airplay-private-key-exposed-opening-door-to-airport-express-emulators/> Developer James Laird has reverse engineered the Airport Express private key and published an open source AirPort Express emulator called Shareport. This program emulates an Airport Express for the purpose of streaming music from iTunes and compatible iPods. It implements a server for the Apple RAOP protocol. Previously, the private key was unknown, which meant that only Apple's Airport Express or official 3rd party solutions could wirelessly stream music from iTunes or equivalent. Many existing solutions such as Rogue Amoeba's Airfoil have long been able to stream music to AirPort Express or other AirPlay devices, but not the other way around. A Hacker News commenter illumin8 spells it out: Previously you could do this: iTunes—stream to --> Apple Airport Express 3rd party software—stream to --> Apple Airport Express Now you can do this: iTunes—stream to --> 3rd party software/hardwareNow, it seems unlikely that any hardware manufacturers will use the unauthorized information to create AirPlay-compatible hardware products, especially when there it is possible to be an officially licensed AirPlay partner. However, this does open the door to software solutions. iTunes music , for example, could be streamed to other Macs, non-Macs, customized consoles (Xbox 360), or mobile devices with the right software. The developer originally posted the key to the VideoLan developer mailing list in case there was interest in adding that feature to a future version of VLC.
Robert X. Cringely, Epsilon, spammers in expensive suits; Thanks to Epsilon Data Management, hackers have millions more e-mail addresses to target. Get ready for the spam and scam. *InfoWorld*, 06 Apr 2011 http://www.infoworld.com/t/cringely/epsilon-spammers-in-expensive-suits-091 selected text: I have to admit I had been feeling a bit left out. Everyone I knew was getting e-mails and letters from companies they do business with warning them about the Epsilon Data Management e-mail breach and what might happen to them. So it was quite a relief when I opened up an e-mail from Marriott yesterday and read the following: [snipped] According to the company [Epsilon], hackers stole the e-mail addresses for less than 2 percent of its clients, but if Epsilon happens to know which 2 percent, the company hasn't been talking about it. Epsilon posted an extremely terse, detail-challenged press release announcing the breach on April 1 (talk about your April Fools) and hasn't said much since. Epsilon's client roster reads like a who's who of corporate America: JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, U.S. Bank, Citi, Ritz-Carlton Rewards, Brookstone, Walgreens, the College Board, the Home Shopping Network, Target, TiVo, and at least a dozen more. How did Epsilon get its grubby fingers on my e-mail address in the first place? Fortune 500 firms desperately want to keep an electronic leash on their customers, but they don't have a clue how to do it. Instead, they outsource the job to companies like Epsilon, sharing their massive customer databases with these marketers, who are contractually obligated to keep that data secure. (Apparently Epsilon didn't read the fine print.) In most cases, all the hackers got was a name and an e-mail address. What bad things could happen? Aside from the fact this data is going to get sold and resold a thousand times to various spammers, the smart money says it will also likely be used for spearphishing campaigns aimed at select customers. My bet is that Epsilon's banking clients will the first to be phished, since that's the fastest route to money.
RISKS-26.41 quotes Stephen Smoliar lauding Kroger's e-mail to its customers about the Epsilon data breach while decrying the lack of such e-mail from Chase and Capital One. I'm not a fan of the big New York banks, but in fairness I must report that I have credit cards with, and received warning e-mails from, both of these companies.
in Protecting Internet Security Electronic Frontier Foundation Media Release Eva Galperin, Activist, Electronic Frontier Foundation, email@example.com +1 415 436-9333 x111 'HTTPS Now' Campaign Urges Users to Take an Active Role in Protecting Internet Security Wide Deployment of Encryption Protocol Provides Basic Security for Web Surfing San Francisco - The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. "We've heard a lot about how malicious tools like Firesheep can be used to steal data, including passwords for e-mail and social networking accounts," said EFF Activist Eva Galperin. "HTTPS Now is aimed at protecting users from attacks like these by spreading the word about HTTPS and how to use it correctly. HTTPS provides the minimum level of security for websites. Without it, no site can make any meaningful security or privacy guarantees to its users." HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible. Often, however, security vulnerabilities can't be cured by changes to a user's browser. Many websites have not deployed HTTPS, leaving their visitors vulnerable to malicious attacks. For the second prong, we are asking users to let us know whether the sites they visit use HTTPS. We are hoping that our crowd-sourced survey of websites will give us a relatively accurate picture of the current state of HTTPS deployment and Internet security. Finally, we have created detailed resources for website operators who are interested in learning how to deploy HTTPS and why it's important for them to do so. "We want to make it easier for web users to get the security they need and deserve, but we can't do it alone. We need an accurate picture of the state of HTTPS on the Internet. After that, we can target website operators and make it easy for them to update their sites," said Jochai Ben-Avie of Access. "Working together, we can all be safer from identity theft, security threats, viruses, and other things that come from an insecure Internet." For more on HTTPS Now: https://www.httpsnow.org For this release: https://www.eff.org/press/archives/2011/04/19-0 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at https://www.eff.org/
Please report problems with the web pages to the maintainer