The RISKS Digest
Volume 28 Issue 38

Tuesday, 25th November 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Catastrophic Vodafone technical fault shuts down raft of key phone services including police 101 and NHS 111 numbers AND Barclays, RAC and First Great Western
Richard I Cook
Spy cable revealed: how telecoms firm worked with GCHQ
Brian Randell
Woman Scammed Out of $8K Through Instagram Job Hoax, Police Say
Monty Solomon
Mobile malware: One in six smartphone users victim of cyber attack
Malware-hosting e-cigs could be bad for your computer's health
Bob Frankston
House Republicans just passed a bill forbidding scientists from advising the EPA on their own research
Lindsay Abrams via Bob Frankston
The safest computers are iPhones and iPads
Galen Gruman
'Bug' spies on computers
Jim Warren
Re: "How to lose customers with excessive security"
Paul Wallich
Re: risks of lobbyist blogs, was "CASL restricts freedom of speech
John Levine
Book review: Ivan Ristic, Bulletproof SSL and TLS ...
Ben Rothke
Info on RISKS (comp.risks)

Catastrophic Vodafone technical fault shuts down raft of key phone services including police 101 and NHS 111 numbers AND Barclays, RAC and

Richard I Cook MD <>
Sat, 22 Nov 2014 16:35:39 +0100
"Catastrophic Vodafone technical fault shuts down raft of key phone services
including police 101 and NHS 111 numbers AND Barclays, RAC and First Great

  [`Catastrophic' might be considered an overstatement with respect to
  Vodafone's services, because in this event the system operation was
  eventually recoverable.  But it would have been catastrophic for any
  callers who might have died as a result of the outage.  PGN]

*Daily Mail*, 22 November 2014

A catastrophic Vodafone technical fault shut down a raft of key phone
services including police and NHS hotlines—and even RAC breakdown
recovery, Barclays bank and First Great Western.  Problems were first
reported at about 9am this morning when callers were unable to reach the
police non-emergency 101 number and NHS 24's medical advice line.  But
customers stranded at the roadside were also unable to get through to RAC
and those with queries about trains were also stuck when trying to get
through on the phone.

Engineers spent hours working to resolve the issue and initially anticipated
that it could take several hours to fix but worked on it as a 'matter of
priority' and most lines were up and running by 1pm.  A spokesperson from
Vodafone said: `'We can confirm that this morning an issue with one of our
fixed line call routing systems temporarily affected the services we provide
to a number of organisations.  However, our engineers have worked hard to
resolve the issue as quickly as possible and services have now been
restored.  We will continue to monitor the service closely and will be
carrying out a full investigation into the issue. We apologise for any
inconvenience caused.''

Spy cable revealed: how telecoms firm worked with GCHQ

"Brian Randell" <>
Nov 21, 2014 9:17 AM
This story was the main one in last night's Channel 4 News. (This IMHO is
one of the best TV news programs here in the UK.)

One of the UK's largest communications firms had a leading role in creating
the surveillance system exposed by Edward Snowden, it can be revealed.
Cable and Wireless even went as far as providing traffic from a rival
foreign communications company, handing information sent by millions of
Internet users worldwide over to spies.  The firm, which was bought by
Vodafone in July 2012, was part of a programme called Mastering the
Internet, under which British spies used private companies to help them
gather and store swathes of Internet traffic; a quarter of which passes
through the UK. Top secret documents leaked by the whistleblower Edward
Snowden and seen by Channel 4 News show that GCHQ developed what it called
"partnerships" with private companies under codenames. Cable and Wireless
was called Gerontic.

Under the moniker, the company carried out tests on equipment used to carry
out the surveillance, it came up with suggestions on how the spies could go
about tapping its network, and even had a GCHQ employee working full-time
within the company.

And a 2011 document reveals that Cable and Wireless went further. The
company rented space on a cable owned by Indian telecoms company Reliance
Communications that stretched from Asia across the Middle East and landed
in Porthcurno in Cornwall. Reliance's transatlantic cable lands in Sennen
Cove six miles to the north. And the two cables come together at nearby
Skewjack Farm. Documents show that in 2011, this allowed Britain's spies to
access all traffic from Reliance's main cable and send it to the GCHQ base
up the coast in Bude.

Top-secret documents from GCHQ show it was this access point, codenamed
Nigella and run by Cable and Wireless, that allowed Britain's spies to
gather the private communications of millions of Internet users worldwide.

Channel 4 News has been unable to establish whether Reliance Communications
was served with a warrant to authorise this and the company has not
responded to our calls. Either way, from having no access to the cable at
all, GCHQ planned to take in a trillion gigabytes of data per second.

The documents show an increasingly close relationship between the spy agency
and Cable and Wireless, which has been operating submarine cables from the
UK for more than a century. From 2008 until at least 2010, Cable and
Wireless held regular meetings with GCHQ and was paid tens of millions of
pounds to establish surveillance on web traffic as it flowed through its
networks. At one point, the Mastering the Internet programme was costing 1m
pounds per month.

Cable and Wireless was bought by Vodafone in a billion-pound takeover.
Documents seen by this programme appear to show that the Nigella access
point was still feeding GCHQ's interception programmes as late as April 2013
-- long after Vodafone's takeover had been completed. And GCHQ's partner
company was still codenamed Gerontic. [..]

Woman Scammed Out of $8K Through Instagram Job Hoax, Police Say

Monty Solomon <>
Tue, 25 Nov 2014 10:58:49 -0500

Mobile malware: One in six smartphone users victim of cyber attack

"Peter G. Neumann" <>
Mon, 24 Nov 2014 13:30:08 PST
PTI, 24 Nov 2014

London: One in six smartphone and tablet device users have fallen prey to a
cyber attack, according to a new study.  The study also found that 60 per
cent of smartphone users and almost half of tablet users are vulnerable to
hacking as these devices have no protection against malicious software.

These can be anything from phishing e-mails that could result in a fraudster
taking over an online account, to 'session hijacking' attacks where a user's
web browsing is interrupted, monitored or even hijacked, Yorkshire Post

Many smartphone and tablet devices users have no protection against
'malware' (i.e., software designed specifically to damage or disrupt a
system).  This is despite nearly half using mobile phones for Internet
banking and one in three for online shopping.

“This year has proved a tipping point for smartphones and tablets,'' said
Ori Eisen of Experian, a global information services company, which
published the study.  “The rapid rise in demand for online banking and
retail combined with very little security on devices has created a massive
opportunity for cyber criminals leaving many people and businesses extremely

Malware-hosting e-cigs could be bad for your computer's health | Digital Trends

"Bob Frankston" <>
22 Nov 2014 13:23:29 -0500
Everything is "IoT" these days. If this is indeed a USB attack anti-malware
might not be enough.

A cheap Chinese cable is believed to have been the root cause of the
problem, and electronic cigarette smokers are advised to stick to the
well-known brands and be wary of shady counterfeit goods when picking up
e-cigs. “For consumers it's a case of running up-to-date anti-malware for
the production line stuff and only using trusted devices to counter the
threat,'' Trend Micro's Rik Ferguson told.

  [PGN notes, Henry Baker, also noted Alex Hern in *The Guardian*, 21 Nov 2014]

House Republicans just passed a bill forbidding scientists from advising the EPA on their own research (Lindsay Abrams)

"Dewayne Hendricks" <>
Nov 21, 2014 2:36 PM
[Note:  This item comes from friend Bob Frankston.  DLH]

Lindsay Abrams, *Salon*, 19 Nov 2014

The "reform" measure makes room for industry-funded experts on the EPA's
advisory board.

Congressional climate wars were dominated Tuesday by the U.S. Senate, which
spent the day debating, and ultimately failing to pass, a bill approving the
construction of the Keystone XL pipeline. While all that was happening, and
largely unnoticed, the House was busy doing what it does best: attacking

H.R. 1422, which passed 229-191, would shake up the EPA's Scientific
Advisory Board, placing restrictions on those pesky scientists and creating
room for experts with overt financial ties to the industries affected by
EPA regulations.

The bill is being framed as a play for transparency: Rep. Michael Burgess,
R-Texas, argued that the board's current structure is problematic because
it  “excludes industry experts, but not officials for environmental
advocacy groups.'' The inclusion of industry experts, he said, would right
this injustice.

But the White House, which threatened to veto the bill, said it would
“negatively affect the appointment of experts and would weaken the
scientific independence and integrity of the SAB.''

In what might be the most ridiculous aspect of the whole thing, the bill
forbids scientific experts from participating in “advisory activities'' that
either directly or indirectly involve their own work. In case that wasn't
clear: experts would be forbidden from sharing their expertise in their own
research—the bizarre assumption, apparently, being that having conducted
peer-reviewed studies on a topic would constitute a conflict of interest.
“In other words,'' wrote Union of Concerned Scientists director Andrew A.
Rosenberg in an editorial for RollCall, “academic scientists who know the
most about a subject can't weigh in, but experts paid by corporations who
want to block regulations can.''

Speaking on the House floor Tuesday, Rep. Jim McGovern, D-Mass., summed up
what was going on: “I get it, you don't like science,'' he told bill
sponsor Rep. Chris Stewart, R-Utah.  “And you don't like science that
interferes with the interests of your corporate clients. But we need science
to protect public health and the environment.''  [...]

  [But corporations are people.  So, why not put corporations on committees?
  We would no longer need people who are not corporations.  <Even though
  that is sarcasm, a smiley-face emoticon would be inappropriate.> PGN]

The safest computers are iPhones and iPads (Galen Gruman)

"Dewayne Hendricks" <>
Nov 21, 2014 5:13 PM
Galen Gruman, Infoworld, 21 Nov 2014
PCs are where the security breaches happen—so stop using them if you can

Every week, it seems, we seem to hear of another breach at a retailer or
other provider. This week, it was the U.S. Postal Service's turn to get its
data center hacked, exposing personal data of 800,000 employees. Data
centers aren't alone in being vulnerable: The state of California's annual
breach report showed that lost or stolen unencrypted computers and USB thumb
drives remain the biggest security threat outside of hacked data
centers. The national breach database run by the Privacy Rights
Clearinghouse shows the same pattern.

But rarely do you see smartphones and tablets in these reports. Why?
Because they're more secure than computers and data centers. That fact must
be galling for the IT security pros fretting over the alleged perils of
mobile devices while the PCs and data centers they manage leak like sieves.
(IT shops have been told for years to encrypt PCs, yet few do.)

But it's true: Mobile devices are safer than PCs and servers.

Let's be clear: Nothing is fully secure. Last week, we learned of Masque
Attack, an iOS attack approach that takes advantage of Apple's feature that
lets enterprises install their own apps rather than use the vetted App
Store. If a hacker uses the same bundle ID for his malware as used by an iOS
app, the pretender can be installed over the legitimate app and go
undetected by mobile management tools. (It's ironic that to escape the grip
of the App Store, enterprise inadvertently enabled this attack vector.)

Apple says it has no reports of actual attacks using this technique and
notes that iOS will warn users if they try to override an existing app
through Masque Attack.

Still, the clear reality is that mobile devices are more secure than PCs and
servers, because—outside of Android—they are less open. For example,
we hear of a handful of security threats in iOS each year versus a handful
every week in Windows.

BlackBerry phones have the strongest security, but they're not able to act
as replacement computers as an iPad can. After BlackBerry, the highest
security comes from Apple's iOS.

If you're concerned about endpoint security, you should replace as many PCs
as you can with iPads and iPhones. Depending on how Android Lolliop's
Android at Work security turns out, maybe you'll be able to add Android
devices to the secure mix.

Using an iPad as a computer replacement is more realistic than ever, thanks
to Apple's iWork suite and Microsoft's Office suite for iOS, especially now
that Microsoft's good iPad Office apps also run on iPhones.

Of course, a computer can tackle many tasks a tablet or smartphone can't --
taking advantage of a big screen for complex documents and work processes is
an obvious one. But using a computer also carries much a higher risk.

For employees who need to run PC-only apps and/or require more screen real
estate and input flexibility than a tablet provides, the PC may be the sole
viable choice as their primary computing platform. For those who don't, make
the move to mobile.

`Bug' spies on computers

"Jim Warren" <>
Nov 24, 2014 4:56 PM
A leading computer security company says it has discovered one of the most
sophisticated pieces of malicious software ever seen.  Symantec says the
bug, named Regin, was probably created by a government and has been used for
six years against a range of targets around the world.  Once installed on a
computer, it can do things like capture screenshots, steal passwords or
recover deleted files.

Experts say computers in Russia, Saudi Arabia and Ireland have been hit
most.  It has been used to spy on government organisations, businesses and
private individuals [...].

--jim; Jim Warren, open-govt & tech-civlib advocate & sometime columnist
  justjim36 on twitter  |  Jim Warren on Facebook

Re: "How to lose customers with excessive security" (Gruman, RISKS-28.37)

Paul Wallich <>
Sat, 22 Nov 2014 17:24:54 -0500
I was just thinking about this because my bank has kindly locked me out of
Kickstarter (as well as, occasionally, various non-US merchants). It seems
that KS does a test transaction when you pledge, and this triggers their
fraud-detection algorithm, so they decline the transaction. (It is possible
to get the payment through by spending an hour or so on the phone with their
security department, assuming I have the time and foresight to call during
some subset of business hours before the KS campaign in question terminates,
but as a regular practice that's not going to happen.)

While it may be a good idea to reduce my addiction to the hope of receiving
possibly-useful widgets at some time in the indefinite future, I really
don't want my bank making that choice. So after 35 years with them, I'm
looking for a less-secure alternative...

Re: risks of lobbyist blogs, was "CASL restricts freedom of speech (Jackson, RISKS-28.37)

"John Levine" <>
22 Nov 2014 16:59:34 -0000

If you follow the link at the bottom of this page to the article's source,
you'll find the blog of Barry Sookman, who, based on the extensive stuff
he's written and presented, seems to be a full time anti-CASL lobbyist.  The
paper itself was written [by] a summer intern at Cassels Brock & Blackwell
LLP, a law firm that is drumming up CASL related business, together with a
law school faculty member.

I helped write CASL, and I can say that the free speech arguments are silly.
This is a rear guard action by marketers who are mad that they can't legally
spam anyone, anywhere, like their American colleagues can.

Book review: Ivan Ristic, Bulletproof SSL and TLS ...

Ben Rothke <>
Tue, 25 Nov 2014 13:50:50 -0500
Ivan Ristic
Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI
  to Secure Servers and Web Applications, 1 Aug 2014

If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and
TLS has shown that perhaps the emperor isn't wearing anything at all. There
is a perception that if a web site is SSL secured then it's indeed secure.
Read a few pages in this important book and the SSL security myth is

For the first 8 of the 16 chapters, Ristic (one of the greatest practical
SSL/TLS experts around) spends 230 pages showing countless weaknesses --
vulnerabilities—attacks and other SSL weaknesses. He then spends the next
8 chapters showing how SSL can—if done correctly—be deployed to
provide adequate security.  Full review here:

Please report problems with the web pages to the maintainer