The RISKS Digest
Volume 28 Issue 71

Saturday, 20th June 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Major League Baseball cancels 60 million all-star votes
PGN
L.A. plans potentially disastrous switch to "electronic" voting
Ars
No ticket with a long name
Debora Weber-Wulff
UN: Encryption a Fundamental Right
Eric Burger
Samsung Keyboard Security Risk - 600M+ devices affected
NowSecure
Payments to RBS customers missing
Richard I Cook
Shooting over cellphone: case is 'extreme', say police
CBC News
Heinz says sorry for ketchup QR code that links to porn site
Appy-geek
Zero-day exploit lets App Store malware steal OS X and iOS passwords
Glenn Fleishman
Don't pay your bills all at once
paul wallich
Officials say security lapses left OMB system open to hackers
PGN
Re: Report: Russia, China Crack Snowden Docs
William Brodie-Tyrrell
Liars trust cheaters, Re: sex, lies, debt exposed by OPM
Mark E. Smith
OPM: Gone Phishing: Shoot the Wounded
Lisa Rein via Henry Baker
Info on RISKS (comp.risks)

Major League Baseball cancels 60 million all-star votes

<Peter G Neumann>
Sat, 20 Jun 2015 02:27:50 -0400
We've long been suggesting in RISKS that Internet Voting was an inherently
BAD IDEA.  Now the folks who run the the so-called American Pastime at the
top professional level may have decided that Internet Voting is really the
American PastTime, although many of us think it is not past time—it is
NOT READY for prime time, and perhaps never will be, for elections of any
real importance.

http://bleacherreport.com/articles/2500903-mlb-cancels-more-than-60-million-all-star-votes-for-fear-of-improper-voting

By the way, apologies for letting "Armenia loses Internet access" slip
through in the previous issue.  That item from 2011 was really past time.


L.A. plans potentially disastrous switch to "electronic" voting

Lauren Weinstein <lauren@vortex.com>
Sat, 13 Jun 2015 08:33:46 -0700
L.A. plans potentially disastrous switch to "electronic" voting
Ars Technica
http://arstechnica.com/tech-policy/2015/06/los-angeles-county-moves-to-open-source-voting-technology/

  The county is also considering a number of customizable options to bolster
  voter turnout, which has suffered in recent years. Along with the new
  system, it plans to introduce a "poll pass," which allows users to
  pre-mark their votes using their phone, tablet, or desktop and scan them
  with a QR code at their polling place. Logan said the new system is
  designed to let users vote anywhere in the county, rather than at a
  designated polling station. He hopes to broaden the 7:00am to 8:00pm
  voting window to a multi-day "voting period," during which a limited
  number of stations would be open prior to the election. There's even talk
  of an electronic equivalent to absentee voting--if and when the law
  permits.

Open source is not a panacea. So much here and planned that could go so very
wrong. They never learn. Note the part about "electronic" absentee
voting. Given how large the absentee voter population is in L.A., this
almost certainly means the disaster of Internet voting.


No ticket with a long name

Prof. Dr. Debora Weber-Wulff <weberwu@htw-berlin.de>
Fri, 19 Jun 2015 17:22:53 +0200
The Swiss newspaper "20 Minuten" (20 minutes) reports that a Swiss woman of
Portuguese descent tried to purchase airline tickets online with the portal
Edreams.ch.  She was informed a few days later that the tickets were
rejected by the airline Swiss because her name of 32 characters was too long
- Swiss only accept 28.
http://www.20min.ch/schweiz/romandie/story/Name-zu-lang---Flugticket-storniert-20762253

Portuguese and Spanish names are quite long, as there is one from the
mother's side and one from the father's side traditionally. Swiss pointed
out that it was edreams fault - they should have asked the customer how she
wanted to abbreviate her name. In the meantime, she was able to buy tickets
from another airline with no length restriction on names—but at a higher
price.

HTW Berlin, Studiengang IMI,Treskowallee 8, 10313 Berlin +49-30-5019-2320
weberwu@htw-berlin.de http://www.f4.htw-berlin.de/people/weberwu/


UN: Encryption a Fundamental Right

"Eric Burger" <eburger@standardstrack.com>
Jun 16, 2015 3:15 PM
  [via Dave Farbert]

On Wednesday, Special Rapporteur on freedom of opinion and expression David
Kaye will present his report on international legal protection for
encryption and anonymity to the United Nations Human Rights Council. The
report is an important contribution to the security conversation at a time
when some Western leaders are calling for ill-informed and impossible
loopholes in technology--a trend that facilitates surveillance and tends to
enable states that openly seek to repress journalists.

http://cpj.org/blog/2015/06/un-report-promotes-encryption-as-fundamental-and-p.php
http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-getting-wrong-about-encryption/
http://www.theguardian.com/commentisfree/2015/jan/13/cameron-ban-encryption-digital-britain-online-shopping-banking-messaging-terror
http://cpj.org/blog/2015/01/classifying-media-and-encryption-as-a-threat-is-da.php
http://cpj.org/blog/2015/04/when-it-comes-to-great-firewall-attacks-https-is-g.php
http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx


Samsung Keyboard Security Risk - 600M+ devices affected

Lauren Weinstein <lauren@vortex.com>
Tue, 16 Jun 2015 18:55:50 -0700
NowSecure via NNSquad
https://www.nowsecure.com/keyboard-vulnerability/

  Over 600 million Samsung mobile device users have been affected by a
  significant security risk on leading Samsung models, including the
  recently released Galaxy S6. The risk comes from a pre-installed keyboard
  that allows an attacker to remotely execute code as a privileged (system)
  user ... While Samsung began providing a patch to mobile network operators
  in early 2015, it is unknown if the carriers have provided the patch to
  the devices on their network. In addition, it is difficult to determine
  how many mobile device users remain vulnerable, given the devices models
  and number of network operators globally.


Payments to RBS customers missing

Richard I Cook MD <ricookmd@gmail.com>
Wed, 17 Jun 2015 14:44:01 +0200
About 600,000 payments expected by customers of the RBS group of banks
have failed to enter accounts overnight, the bank has admitted. Payments
including tax credits and disability living allowance are among the payments
that have failed to be credited to accounts.  [...] it had now identified
and fixed the underlying problem. However, it is an embarrassment for the
group which was fined 56M pounds by regulators after a 2012 software issue
left millions of customers unable to access accounts. RBS, NatWest, and
Ulster Bank customers were affected in June 2012 after problems with a
software upgrade. RBS said had invested hundreds of millions of pounds to
improve its computer systems since then.

http://www.bbc.com/news/business-33162855

Shooting over cellphone: case is 'extreme', say police (CBC News)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 16 Jun 2015 23:27:33 -0600
The shooting death of an 18-year-old man trying to retrieve his lost
smartphone highlights the risks of using mobile-tracking app, say police.

Jeremy Cook, a native of Brampton, Ont., was gunned down at about 5:15
a.m. ET on Sunday. London police found his body at the rear of a strip mall
near Huron Street and Highbury Avenue in the city's north end. He had
multiple gunshot wounds.

Cook had left his smartphone in a taxi and traced it electronically to an
address on Highbury Avenue.

When he and a relative went to the address, he was confronted by three men
in a car, Steeves told CBC News.

http://www.cbc.ca/news/canada/toronto/shooting-over-cellphone-case-is-extreme-say-police-1.3115069


Heinz says sorry for ketchup QR code that links to porn site

Lauren Weinstein <lauren@vortex.com>
Fri, 19 Jun 2015 08:20:46 -0700
Appy-geek via NNSquad
http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleidC584144&source=googleplus

  The QR code linked to a URL used for the "Spread the word with Heinz"
  competition between 2012 and 2014. Heinz allowed the domain name
  "sagsmithheinz.de" to lapse after the competition closed, which was
  subsequently purchased by a purveyor of German adult entertainment.

The right way to have done this, of course, would have been to have the QR
code point at some URL within the permanent Heinz domain and redirect to the
promotion site. Then when the promotion ends you could change the redirect
to something still sensible. But hey, that takes forethought.


Zero-day exploit lets App Store malware steal OS X and iOS passwords (Glenn Fleishman)

Gene Wirchenko <genew@telus.net>
Thu, 18 Jun 2015 12:16:35 -0700
Glenn Fleishman, Macworld, 18 Jun 2015
Researchers discover an exploit that lets OS X and iOS malware in the
App Store steal passwords and app data, as well as hijack session tokens
http://www.infoworld.com/article/2937241/security/zero-day-exploit-lets-app-store-malware-steal-os-x-and-ios-passwords.html


Don't pay your bills all at once

paul wallich <pw@panix.com>
Thu, 18 Jun 2015 11:47:35 -0400
Early this morning my spouse texted me from the airport to let me know that
our credit card had been declined just as she was leaving for a trip. Turns
out there was "suspicious activity" on the card last night, and the
fraud-control folks had put a hold on it. The suspicious transactions: one
small purchase from an online retailer we use often, and three $100-plus
payments over the course of 30 minutes to what turned out to be the local
cable company, electric company and a mobile phone provider.

In other words, my spouse had been financially diligent and made sure all
our current bills were paid before leaving town.

This is by no means intended to ridicule the credit-card company and its
fraud-detection algorithms. The transactions (except, perhaps for the
payees) do fit the common fraud pattern of one small test purchase and then
a bunch of big-ticket ones. And it took less than 10 minutes on the phone to
clear the problem up. But. It did make me think about how vulnerable our
current payment infrastructure is, and about the reversal of roles that has
occurred. Compromised accounts have become so common that, instead of
fraudsters trying to avoid detection, it's the job of legitimate customers
to figure out how not to be mistaken for crooks.


Officials say security lapses left OMB system open to hackers

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 17 Jun 2015 9:16:51 PDT
http://bigstory.ap.org/article/d81b464390c34ab293e0abb3cccd4fcc/officials-say-security-lapses-left-system-open-hackers

  [The information was indeed very sensitive.  WHY was it on the Web?  PGN]


Re: Report: Russia, China Crack Snowden Docs (RISKS-28.70)

William Brodie-Tyrrell <william@brodie-tyrrell.org>
Wed, 17 Jun 2015 09:19:15 +0930
There is also significant risk in "journalists" publishing the
uncorroborated assertions of anonymous government officials who have a
direct interest in smearing people:

https://firstlook.org/theintercept/2015/06/14/sunday-times-report-snowden-files-journalism-worst-also-filled-falsehoods/


Liars trust cheaters

"Mark E. Smith" <mymark@gmail.com>
Wed, 17 Jun 2015 09:03:54 +0800
Re: Sex, lies and debt potentially exposed by OPM data hack

Had the retired officer disclosed to the government that he'd been cheating
on his taxes rather than cheating on his wife for twenty years (but later
paid up), would he have still gotten his security clearance?


OPM: Gone Phishing: Shoot the Wounded

Henry Baker <hbaker1@pipeline.com>
Thu, 18 Jun 2015 14:21:26 -0700
FYI—OPM sent 750k e-mails to notify Fed employees & asked that *they
click on a link* to sign up for credit monitoring and other protections.
Isn't that how we got here in the first place?

[Of course, whoever stole the OPM data just did a facepalm and is now
thinking: "why didn't I think of that?"]

Lisa Rein, *WashPost*, 18 June 2015
Reacting to Chinese hack, the government may not have followed its own
cybersecurity rules
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/reacting-to-chinese-hack-the-government-may-not-have-followed-its-own-cybersecurity-rules/

In responding to China's massive hack of federal personnel data, the
government may have run afoul of computer security again.

Over the last nine days, the Office of Personnel Management has sent e-mail
notices to hundreds of thousands of federal employees to notify them of the
breach and recommend that they click on a link to a private contractor's Web
site to sign up for credit monitoring and other protections.

But those e-mails have been met with increasing alarm by employees—along
with retirees and former employees with personal data at risk—who worry
that the communications may be a form of spear phishing used by adversaries
to penetrate sensitive government computer systems.

After the Defense Department raised a red flag about the e-mails its 750,000
civilian employees were starting to receive, OPM officials said late
Wednesday that the government had suspended its electronic notifications
this week.

“We've seen such distrust and concerns about phishing,'' OPM spokesman Sam
Schumach acknowledged, describing the feedback from many of the 4.2 million
current and former employees who are being notified that personnel files
containing their Social Security numbers, addresses and other personal
information may have been stolen.

Computer experts said the personnel agency—already under fire from
lawmakers from both parties for failing to protect sensitive databases from
hackers—could be putting federal systems in jeopardy again by asking
employees to click on links in the e-mails.

“There's a risk that you desensitize people by telling them that
occasionally, there's going to be a very important email you have to click
on,'' said Joseph Lorenzo Hall, chief technologist at the Center for
Democracy & Technology.  He called OPM's first round of e-mail transmissions
the equivalent of “sending a postcard to people saying gee, you just got
hacked, go to this website. The hackers could wise up and send their own set
of fake identity protection e-mails and get into your computers all over
again.''

That's precisely what worried top Defense officials before the chief
information officer of the government's largest agency told OPM last week to
suspend the notifications because they disregarded basic cybersecurity
training that's crucial to ensuring the safety of military networks: Never
click on unfamiliar links, attachments or e-mail addresses because they
expose employees to spear phishing attacks.

Defense offices across the country posted a bulletin in their internal
communication networks from CIO Terry Halvorsen that said OPM was
“suspending notification to DoD personnel that their [Personal Identifying
Information] may have been breached until an improved, more secure
notification and response process can be put in place.''  [...]

Please report problems with the web pages to the maintainer

x
Top