The RISKS Digest
Volume 27 Issue 72

Monday, 27th January 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Signal Failure at Grand Central
Peter Wild
NEWS FLASH: Alarms are distracting! Turing off alarms is a priority!
Richard Irvin Cook
Hackers Steal Law Enforcement Inquiry Documents from Microsoft
Lauren Weinstein
Gmail glitches down worldwide; Hotmail hitches
Etherington/Perez
Stolen Laptops
Laura Corriss
Converting Google Chrome into a Bugging Device by exploiting Speech Recognition feature - The Hacker News
David Farber
"Google dismisses eavesdropping threat in Chrome"
Keremy Kirk via Gene Wirchenko
How Google Calendar can tip off your boss that you want a raise
Dan Goodin via Monty Solomon
Proofpoint Uncovers Internet of Things Cyberattack
Jim Reisert
Apple.com does more to protect your password ...
Dan Goodin via Monty Solomon
Snapchat's new "security" feature holds up about as long as a double cheeseburger
Lauren Weinstein
BYOD? Leaving a Job Can Mean Losing Pictures of Grandma
Lauren Weber Monty Solomon
You don't want your privacy: Disney and the meat space data race
John Foreman via Monty Solomon
Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden
David Lesher
Re: Software licensing as information leak
Dimitri Maziuk
Name-collision risks
Burt Kaliski
2nd Neuro-Inspired Computational Elements Workshop
Murat Okandan
Info on RISKS (comp.risks)

Signal Failure at Grand Central

"Peter.Wild@sbcglobal.net" <peter.wild@sbcglobal.net>
Fri, 24 Jan 2014 14:30:27 -0500
causes 2-hour disruption; one power supply shut down for replacement; the
other had a disconnected wire

  [As I say to a few close confidants that, as an auditor, I am grateful
  that my clients continue to make the same mistakes - because that is what
  keeps me relevant!!!]

I thought that you might like to include the item below, the event happened
at Grand Central station in New York City last night.  What is does not talk
about are the stampedes that happened when trains started running, it was
almost dangerous.

  - - - -

An Explanation & Apology for Last Evening's (Thursday, 23 Jan 2014)
System-Wide Disruption of Service

The two-hour disruption in service you experienced last evening traced to
human error during an electrical repair project.

The computers that run the railroad's signal system lost reliable power at
7:45 PM when one of two main power supply units was taken out of service for
replacement. Technicians performing the work did not realize that a wire was
disconnected on the other main power supply unit. This destabilized the
power supply system for more than an hour until a backup supply could be
connected.

At the time this incident occurred, there were more than 50 trains at
various locations on all three lines. While the cause of this power problem
was being identified and repairs were being made, Rail Traffic Controllers
immediately took the safest course of action.  They instructed all train
engineers, via radio, to bring their trains to the nearest station. This had
to be done slowly, train-by-train, to ensure everyone's safety. Trains were
not allowed to proceed through switches until signal maintainers could
respond and manually ensure the switches were lined up correctly.  All
trains had light, heat and power during the disruption, and no customers
were ever in danger. Customers were able to get off trains when they reached
a station.

Repairs were made by 9 PM.  Once repairs were made, the computers needed to
reboot before we could begin running trains again.  Trains began moving
again by 9:30 PM. Full control over the signal system was re-established by
10:30 PM.  Significant delays continued throughout the evening hours.  This
project should have been analyzed for risks and redundancy before it began,
and it should have been performed in the middle of the night over a weekend,
not when thousands of customers were trying to get home in cold weather.
While this specific incident has been addressed and an internal review is
underway, we are also bringing in an independent consultant to examine how
and why these mistakes were made, and to recommend any necessary changes to
operating procedures and practices.

Metro-North customers deserve better.  We sincerely regret this incident and
apologize for the inconvenience our customers experienced.

Peter Wild,  Mobile (203) 722 9453


NEWS FLASH: Alarms are distracting! Turing off alarms is a priority!

Richard Irvin Cook <rcook@kth.se>
Mon, 27 Jan 2014 12:45:34 +0000
Silencing Many Hospital Alarms Leads To Better Health Care
<http://www.npr.org/blogs/health/2014/01/24/265702152/silencing-many-hospital-alarms-leads-to-better-health-care>

Richard I Cook, MD, Professor of Healthcare System Safety, STH, KTH,
Huddinge, SWEDEN  +46 70 190 42 16 www.ctlab.org<http://www.ctlab.org>

  [The Foresight Saga once again: An ounce of prevention is worth nothing
  at all, because it would pound healthcare into oblivion?  PGN]


Hackers Steal Law Enforcement Inquiry Documents from Microsoft

Lauren Weinstein <lauren@vortex.com>
Sat, 25 Jan 2014 08:44:58 -0800
  Targeted attacks like this are not uncommon, especially for an
  organization like Microsoft. What's interesting about this is that the
  incident was significant enough to disclose, indicating that a fair number
  of documents could have been exposed, or that the company fears some
  documents will make their way to the public if released by the attackers
 —which may be the case if this was a `hacktivist' attack.  “In terms of
  the cyberattack, we continue to further strengthen our security.  This
  includes ongoing employee education and guidance activities, additional
  reviews of technologies in place to manage social media properties, and
  process improvements based on the findings of our internal investigation."
  (Adrienne Hall, General Manager of Microsoft's Trustworthy Computing Group)
  http://j.mp/1gcN2tK
  [Source: Mike Lennon, Security Week, 24 Jan 2014; via NNSquad, PGN-ed]


Gmail glitches, Hotmail hitches

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 24 Jan 2014 15:18:40 PST
Darrell Etherington, Gmail and Google+ go down across the world, service
returns after roughly 50 minutes, TechCrunch
  http://techcrunch.com/2014/01/24/gmail-goes-down-across-the-world

Sarah Perez, Glitch is causing thousands of e-mails to be sent to one man's
Hotmail account, TechCrunch
  http://techcrunch.com/2014/01/24/gmail-glitch-is-causing-thousands-of-emails-to-be-sent-to-one-mans-hotmail-account/


Stolen Laptops

Laura Corriss <lcorriss@earthlink.net>
Sat, 25 Jan 2014 13:51:34 -0500
  [From Steve Greenwald's Greenwald-INFOSEC]

Okay, here we go again.  Gee, Coke just announced that "employee data was
exposed".  How?  Stolen laptops. Wow!  Who would have guessed it?

How is this still happening?

Actually, I know.  Last May the laptop belonging to the head of Human
Resources at my place of employment was stolen (but not reported to us peons
(otherwise know as the organization's employees) until late December).  A
couple of weeks ago the university's executive committee announced that that
same HR department head was promoted to Vice President, making HR a separate
division.  And nothing else has been said about the matter.  There has been
no response to the numerous e-mails and complaints that have been made (many
by me, and I haven't given up).

Apparently, the people running the university see that this problem is
prevent (after all, it's happening to large financial institutions, fortune
500 companies, even the government) so evidently there is nothing they can
do about it.

Maybe the focus of all the security experts on this list (and everywhere
else) should be to start an information campaign to tell them that, yes,
there are things that can be done and here's a list of what to do.

Research is important.  Figuring out how to stay ahead (or even get close
to) of the hackers, thieves, insiders (i.e. the "bad guys") is important.
Discussing what is and isn't working is important.

But, what is even more important is getting the information out there,
beyond just the IT department (assuming that they have a clue).  We might
not be able to prevent stolen laptops, but we certainly can make sure that
the resulting problems are mitigated.

My approach is to get the attention of the HR department head and the CIO
and outline for them exactly what can be done to protect this from happening
again (and to protect the reputation of the university).  I will bring in
anyone and everyone who can and is willing to help me.

I think this list should start publishing a public blog addressing these
issues.  All of you have connections and all of you have credentials that
should make people, including executives, listen and pay attention.
Protecting data on stolen laptops might be a good place to start.

Anyone agree?  Anyone interested? Does anyone have a better suggestion?

Because every time something like this happens, it makes the security
community look inconsequential and incompetent.


Converting Google Chrome into a Bugging Device by exploiting Speech Recognition feature - The Hacker News

David Farber <dfarber@me.com>
Thu, 23 Jan 2014 18:00:40 -0500
http://thehackernews.com/2014/01/converting-google-chrome-into-bugging.html


"Google dismisses eavesdropping threat in Chrome" Keremy Kirk)

Gene Wirchenko <genew@telus.net>
Fri, 24 Jan 2014 14:39:40 -0800
Jeremy Kirk, InfoWorld, 23 Jan 2014 Chrome can access a computer's
microphone after a person thinks a speech recognition feature is off, says
Web developer
http://www.infoworld.com/d/security/google-dismisses-eavesdropping-threat-in-chrome-234824

selected text:

Google said there's no threat from a speech recognition feature in its
Chrome browser that a developer said could be used to listen in on users.

But Ater found that Chrome remembers if a person granted permission to a
site that uses HTTPS, a security feature that encrypts communication between
a client and a server. It will allow sites using HTTPS to start listening in
the future without asking for permission again.

The attack doesn't work if permission isn't granted to enable speech
recognition.


How Google Calendar can tip off your boss that you want a raise (Dan Goodin)

Monty Solomon <monty@roscom.com>
Mon, 27 Jan 2014 02:55:57 -0500
Dan Goodin, Ars Technica, 23 Jan 2014
Potential privacy leak "feature" continues to take some users by surprise.

It's a feature that has bitten Google Calendar users in the past, but it's
worth a reminder: in some cases, the widely used service may unexpectedly
leak sensitive information to bosses, spouses, or just about anyone else.

The inadvertent leakage stems from Google Calendar's quick add feature,
which is designed to automatically add the who, what, and where to events
without requiring a user to manually enter those details. Typing "Brunch
with Mom at Java 11am Sunday" is intended to schedule the event for the
following Sunday morning at 11 and list the place as "Java." Participants
can be added by listing their e-mail addresses, and in many cases, Google
will respond by automatically adding an entry to the participants' calendar
as well.

Google heavily promoted this time-saving feature during the rollout of its
mail and calendar services. But as documented as early as 2010, the behavior
can also result in the leakage of private information for people who are
unaware of it. Alas, almost four years later, it's still catching some
people by surprise. Blogger Terence Eden explained how an entry his wife put
in her personal Google Calendar made its way to her boss. It read: "e-mail
[boss's address] to discuss pay rise" and included a date a few months in
the future.  The boss quickly received the reminder as an entry in her own
Google Calendar. [...]

http://arstechnica.com/security/2014/01/how-google-calendar-can-tip-off-your-boss-you-want-a-raise/


Proofpoint Uncovers Internet of Things Cyberattack (Re: R 27 71)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 23 Jan 2014 19:14:38 -0700
More than 750,000 Phishing and SPAM e-mails Launched from "Thingbots"
Including Televisions, Fridge [PGN-ed]

SUNNYVALE, Calif.  January 16, 2014. Proofpoint, Inc., a leading
security-as-a-service provider, has uncovered what may be the first proven
Internet of Things (IoT)-based cyberattack involving conventional household
"smart" appliances. The global attack campaign involved more than 750,000
malicious e=mail communications coming from more than 100,000 everyday
consumer gadgets such as home-networking routers, connected multi-media
centers, televisions and at least one refrigerator that had been compromised
and used as a platform to launch attacks. As the number of such connected
devices is expected to grow to more than four times the number of connected
computers in the next few years according to media reports, proof of an
IoT-based attack has significant security implications for device owners and
Enterprise targets. [...]

"Bot-nets are already a major security concern and the emergence of
thingbots may make the situation much worse" said David Knight, General
Manager of Proofpoint's Information Security division. "Many of these
devices are poorly protected at best and consumers have virtually no way to
detect or fix infections when they do occur.  Enterprises may find
distributed attacks increasing as more and more of these devices come
on-line and attackers find additional ways to exploit them."

http://www.proofpoint.com/about-us/press-releases/01162014.php


Apple.com does more to protect your password ... (Dan Goodin)

Monty Solomon <monty@roscom.com>
Mon, 27 Jan 2014 02:51:51 -0500
Dan Goodin, Ars Technica, 24 Jan 2014
Apple.com does more to protect your password, study of top 100 sites finds
Which sites allow "123456"?
Study names/shames the best/worst password policies.

Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding
customer passwords, according to a comprehensive study of the top 100
e-commerce websites that also ranked Major League Baseball, Karmaloop,
Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst.

Apple.com was the only site to receive a perfect score of 100, which was
based on 24 criteria, such as whether the site accepts "123456" and other
extremely weak passwords and whether it sends passwords in plaintext by
e-mail. Microsoft and academic supplier Chegg tied for second place with 65,
while Newegg and Target came in third with 60.  By contrast, MLB received a
score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale
and Toys R US each got a -60.  Each site was awarded or deducted points
based on each criterion, leading to a possible score from -100 and 100. The
study was conducted by researchers from password manager Dashlane based on
the password policies in effect on the top 100 e-commerce sites from January
17 through January 22. [...]

http://arstechnica.com/security/2014/01/apple-com-does-more-to-protect-your-password-study-of-top-100-sites-finds/


Snapchat's new "security" feature holds up about as long as a double cheeseburger

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Jan 2014 09:45:20 -0800
http://j.mp/1aME2Xu  (Steve's Computer Vision Blog via NNSquad)

  "With very little effort, my code was able to "find the ghost" in the
  above example with 100% accuracy. I'm not saying it is perfect, far from
  it. I'm just saying that if it takes someone less than an hour to train a
  computer to break an example of your human verification system, you are
  doing something wrong. There are a ton of ways to do this using computer
  vision, all of them quick and effective. It's a numbers game with
  computers and Snapchat's verification system is losing."

 - - -

The problem is that Snapchat is demonstrating that they don't really care
about security at all. They're hardly even going through the motions.

  [See also 4.6 million Snapchat phone numbers and usernames leaked
  (RISKS-27.68) and other items in RISKS-27.69.  PGN]


BYOD? Leaving a Job Can Mean Losing Pictures of Grandma (Lauren Weber)

Monty Solomon <monty@roscom.com>
Mon, 27 Jan 2014 01:23:00 -0500
Lauren Weber, *Wall Street Journal*, 21 Jan 2014
Some Companies Wipe Workers' Personal Cellphones Clean After They Leave

In early October, Michael Irvin stood up to leave a New York City restaurant
when he glanced at his iPhone and noticed it was powering off. When he
turned it back on again, all of his information-email programs, contacts,
family photos, apps and music he had downloaded-had vanished.

The phone looked "like it came straight from the factory," said Mr.  Irvin,
an independent health-care consultant.

It wasn't a malfunction. The device had been wiped clean by AlphaCare of New
York, the client he had been working for full-time since April. Mr. Irvin
received an email from his AlphaCare address that day confirming the phone
had been remotely erased. [...]

http://online.wsj.com/news/articles/SB10001424052702304027204579335033824665964


You don't want your privacy: Disney and the meat space data race (John Foreman)

Monty Solomon <monty@roscom.com>
Mon, 27 Jan 2014 00:42:00 -0500
John Foreman, MailChimp, 18 Jan 2014

SUMMARY:

MailChimp Chief Data Scientist is at Disney World this weekend wearing his
RFID-equipped MagicBand. Here's how he thinks the practice of digitally
tracking consumers in the physical world will reach everywhere from theme
parks to our homes.

http://gigaom.com/2014/01/18/you-dont-want-your-privacy-disney-and-the-meat-space-data-race/


Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden

David Lesher <wb8foz@panix.com>
Fri, 24 Jan 2014 13:43:53 -0500
> ... Instead, electronic health records have become a disease in need of a
> cure, as physicians do their best to diagnose and treat patients while
> continuously feeding the data-hungry computer.

Was this not entirely predictable? The whole EMR charade was hyped as being
the penultimate solution to everything wrong with healthcare in the United
States.

But what EMR use was really doing was taking the #1 critical resource choke
point, the work time of the MD, and instead of optimizing it, demanding
[s]he spend time on clerical work best done by someone less skilled, less
trained, and far far less expensive per minute.

[The MD time touches another medical issue, infection control. Yes, if they
thoroughly scrubbed between each patient visit as they do rounds, it would
reduce infection spread. But where will that scrub time come from; what else
gets dropped?]

To me, the whole EMR euphoria harks back to the promises re: how electronic
voting machines were going to err solve all our election problems. The
common thread: The Hill dumped lots of money onto a problem, without really
looking at what the solution would be. It's rather like the Cardassian legal
system: Sentence First, Verdict Later; but here it's "Money First, Thinking
Later..."


Re: Software licensing as information leak (Levy, RISKS-27.71)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Fri, 24 Jan 2014 09:57:48 -0600
On Fri, 10 Jan 2014 Stuart Levy wrote:

> ...  The design is for enterprise system administrators to be able to
> track *all* software installed on *any* monitored machine—and select
> some subset of packages as "interesting".  Interesting software can be
> usage-tracked, and optionally flagged as being under a variety of kinds of
> license control ... and monitored ...

The flip side: a scientist working on NMR spectra is using several (of many)
software packages to combine multiple spectra, FFT them, identify regions of
interest, clean up the noise, and so on and so forth. A lot of it is manual
and is driven by the scientist's expertise. The end result is often the 3D
structure of the studied molecule that yields insight into its biological
function and leads to new drugs etc.

The problem is reproducibility: in order to get from the original raw data
to the same exact final result, potentially you need to not only use the
same software but also the exact versions and retrace the exact sequence of
steps. Or not—but as long we can do that, we can't prove otherwise or run
any software comparison studies.

So yeah, we want to know not only what software you're using but also what
you did with it in exact detail. Otherwise we can have one study claim that
zinc kills common cold virus and another: that it kills small furry kittens,
and no way to reproduce either result.

(I expect NMR is not the only field where this exists, it's the one I'm
familiar with.)


Name-collision risks

"Kaliski, Burt" <bkaliski@verisign.com>
Thu, 23 Jan 2014 15:05:46 +0000
As I've just noted on my Verisign blog today, we're organizing a workshop in
March 2014 on the risks of "name collisions" in the Domain Name System - a
major topic in the ICANN community of late:

  http://namecollisions.net/
  http://blogs.verisigninc.com/blog/entry/collisions_ahead_look_both_ways

I thought you might find this of interest in your ongoing effort to collect
and analyze computer system risks.  I've enjoyed following your commentary
over the years, from my early days in cryptography and security.

The risk is not well known outside the Domain Name System community, and
we're looking for ways to get more of industry informed and engaged.

The workshop is open to the public.  Papers will be selected by the
technical program committee.  In addition, the top papers will receive
awards of up to $50,000.

Burt Kaliski Jr., Senior Vice President and CTO, bkaliski@Verisign.com
m: 571-528-2679  t: 703-948-4664  12061 Bluemont Way, Reston, VA  20190


2nd Neuro-Inspired Computational Elements Workshop

Murat Okandan <mokanda@sandia.gov>
Mon, 27 Jan 2014 10:07:59 -0800
Sandia National Laboratories and DARPA will be hosting the 2nd annual
Neuro-Inspired Computational Elements Workshop (NICE 2014), 24-26 Feb 2014

Objective: The focus of this workshop is the creation of next generation of
information processing/computation architectures beyond stored program
architecture and Moore's Law limits.

Goal: Bring together researchers from different scientific disciplines and
applications areas that are converging towards a new computational /
information processing approach, determine potential pathways, identify
applications that would have immediate benefit, and pursue resources to
accelerate activity in those areas.

A list of confirmed speakers is available at the event web site.
Registration: Cost for the workshop is $150.
Event website: http://nice.sandia.gov_
Contact: Murat Okandan <mokanda@sandia.gov>, Ph.D., Chair, 1-505-284-6624
Event Organization Linda Wood <llwood@sandia.gov1>, 1-505-284-8404

Please report problems with the web pages to the maintainer

x
Top