The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 31

Friday 24 October 2014

Contents

Audi Recalls 850,000 Cars Over Airbag Software Flaw
NYT via Monty Solomon
Feds examining medical devices for fatal cybersecurity flaws
David Kravets via Monty Solomon
NOAA is having major weather satellite data feed issues
danny burstein
Belkin routers around the globe unable to connect to the Internet
Myce
India probes identity card for monkey god Hanuman
BBC via Prashanth Mundkur
Machine Tasked with Getting Rid of Spam Could End Humanity
Elon Musk
The Exascale Revolution
Tiffany Trader
Dangers of an IT monoculture
Robert L Wears
IoT as a Hazard: Smart Meters prove vulnerable
Bob Gezelter
Hackers' Attack Cracked 10 Financial Firms in Major Assault
NYT
Cyberattack on JPMorgan Raises Alarms at White House and on Wall Street
NYT
The Unpatchable Malware That Infects USBs Is Now on the Loose
Andy Greenberg
ComputerCOP: dubious "Internet Safety Software" given to US families
Ars
iOS 8.1 plugs security hole that made it easy to install emulators
Kyle Orland
"Cisco, Oracle find dozens of their products affected by Shellshock"
Lucian Constantin
"Mayhem malware spreads through Linux servers via Shellshock exploits"
Lucian Constantin
Bug in Bash shell creates big security hole on anything with *nix in it
Brett Mahar
Samsung printer sniffers
David Lesher
Twitter Sues U.S. Government Over Data Disclosure Rules
Monty Solomon
Dozens of European ATMs rooted, allowing criminals to easily cash out
Robert Lemos
Using new Corvette's valet-recording tech could be a felony in some states
Megan Geuss
"The Dark Market for Personal Data"
Frank Pasquale
"Patent trolls have one fewer legal loophole to hide behind"
Simon Phipps via Gene Wirchenko
The "he said, she said" of how the FBI found Silk Road's servers
Ars
New York City orders Bluetooth beacons in pay phones to come down
Ars
Seeing where the last taxi passenger went
Jeremy Epstein
JPMorgan Discovers Further Cyber Security Issues
Monty Solomon
7 million Dropbox username/password pairs apparently leaked
Ars
Russia's Sandworm Hack Spying on Foreign Governments for Years
WiReD
Google report on EU "right to be forgotten" requests
Lauren Weinstein
This POODLE bites: exploiting the SSL 3.0 fallback
Google
Re: Firedrive and Cloudflare
Jay Grizzard
Re: Firedrive has gone down taking millions of files with it
Henry Baker
Info on RISKS (comp.risks)

Audi Recalls 850,000 Cars Over Airbag Software Flaw

Monty Solomon <monty@roscom.com>
Fri, 24 Oct 2014 06:30:53 -0400
The recall of the 2013-15 A4 model includes about 102,000 cars in the United
States, and the company said it had no reports of related accidents.

http://www.nytimes.com/2014/10/24/business/audi-recalls-850000-cars-over-airbag-software-flaw.html


Feds examining medical devices for fatal cybersecurity flaws (David Kravets)

Monty Solomon <monty@roscom.com>
Fri, 24 Oct 2014 01:16:26 -0400
David Kravets, Ars Technica, 23 Oct 2014,
They could be controlled remotely, overdose patients, or thwart heart implants.

http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/


NOAA is having major weather satellite data feed issues

danny burstein <dannyb@panix.com>
Wed, 22 Oct 2014 22:41:42 -0400 (EDT)
(I can't find a copy of their actual news release, so using this press story)

"Since Tuesday night, NESDIS, NOAA's satellite and information service, has
been experiencing network issues, and has not received a full feed of
satellite data for input, a critical component for the numerical models used
to forecast the weather"

http://www.accuweather.com/en/weather-news/noaa-network-issue-may-impact/36161909

It took a *year* for them to fix the NOAA/AHR radio transmitter in NYC,
and that only happened after a WSJ article...


Belkin routers around the globe unable to connect to the Internet (Myce)

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Oct 2014 13:40:29 -0700
Myce via NNSquad
http://www.myce.com/news/belkin-router-users-worldwide-unable-to-connect-to-the-internet-73019/

As a workaround, Belkin is suggesting that users change their routers' DNS
settings to use Google DNS on 8.8.8.8 and 8.8.4.4:

https://statuspage-production.s3.amazonaws.com/static/belkin.html
(interesting URL)


India probes identity card for monkey god Hanuman (BBC)

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Thu, 23 Oct 2014 01:26:19 -0700
BBC, 12 September 2014
http://www.bbc.com/news/world-asia-india-29175870

Authorities in India are investigating how Hanuman, the monkey god, has been
issued a biometric identity card.  [...]  It emerged when a postman
attempted to deliver the card, but could not find a Hanuman at the address.


Machine Tasked with Getting Rid of Spam Could End Humanity (Elon Musk)

"Matthew Kruk" <mkrukg@gmail.com>
Fri, 10 Oct 2014 13:21:55 -0600
http://www.vanityfair.com/online/daily/2014/10/elon-musk-artificial-intelligence-fear


The Exascale Revolution (Tiffany Trader)

"ACM TechNews" <technews@hq.acm.org>
Fri, 24 Oct 2014 12:11:58 -0400 (EDT)
Tiffany Trader, The Exascale Revolution, HPC Wire, 23 Oct 2014
  (via ACM TechNews, Friday, October 24, 2014)

Experts are coming to a consensus that the shift from the petascale to the
exascale supercomputing eras is going to be more challenging than many
previously anticipated.  At the recent Argonne National Laboratory Training
Program in Extreme Scale Computing, Pete Beckman, director of Argonne's
Exascale Technology and Computing Institute, highlighted some of the
possible problems.  One major concern is power and the costs associated with
it.  Although supercomputers have been getting more energy-efficient,
Beckman uses the example of the most recent generations of IBM
supercomputers to demonstrate a 5x trajectory of energy efficiency gains
that would still have an exascale system requiring 64 megawatts of power,
which could cost tens of millions of dollars a year.  These cost concerns
are prompting many countries to pursue exascale computing on an
international scale, forming multinational partnerships to share the massive
costs.  The U.S. and Japan recently entered such an agreement, and Europe is
looking to join them.  However, China is proceeding on its own, largely on
the strength of its own native technology.  Beckman also addressed
challenges relating to memory and resilience and the need to update software
to be able to make use of exascale resources.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-cd87x2bdf9x068385&


Dangers of an IT monoculture

"Robert L Wears, MD, MS, PhD" <wears@ufl.edu>
Fri, 24 Oct 2014 11:32:55 -0400
A recent paper in a medical journal raises ()concerns about the emergence of
an IH 'monoculture' in healthcare.  But, the paper misses IMHO the most
significant risk of a monoculture—that it increases the magnitude of the
inevitable failures.  In agriculture and ecosystems, monocultures lead to
the more rapid spread of pests and diseases, and are more vulnerable to
catastrophic collapse, particularly when conditions change.  In a
heterogeneous population of EHRs, the occasional failure of any given system
due to hidden bugs, vulnerabilities, hacking, or unexpected interactions
with the conditions of use would create major problems for individual
institutions or work systems (e.g., see RISKS-23.19, 23.81, 24.68, 25.45,
25.51, 26.25, 28.3) but its impact would be limited.  However, if a large
proportion of systems all contain the same vulnerability ... what could
possibly go wrong?  The original paper available at:
http://jamia.bmj.com/content/early/2014/10/23/amiajnl-2014-003023.abstract

Robert L Wears, University of Florida  wears@ufl.edu 1-904-244-4405 (ass't)
Imperial College London r.wears@imperial.ac.uk +44 (0)791 015 2219


IoT as a Hazard (IaaH): Smart Meters prove vulnerable

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 17 Oct 2014 09:46:10 -0700
It should not be surprising. While the Internet of Things (IoT) has great
promise, widely-deployed, connected devices are an attractive target for all
kinds of mischief.  SecurityAffairs reports that Javier Vazquez Vidal and
Alberto Garcia Illera explored smart power meters used in Spain. They found
that they could be hacked, and exploited in a number of ways (e.g.,
transferring usage, reporting false data).  The lack of integrity in such
devices also raises the possibility that large numbers of compromised
devices could be used to present a false picture to utility operators,
compromising the operation of the utility's production and transmission
facilities. A profoundly disturbing picture.  Meters and other devices also
represent a potential privacy hazard to the individual.  The full article
can be found at:
http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html
Bob Gezelter, http://www.rlgsc.com


Hackers' Attack Cracked 10 Financial Firms in Major Assault (NYT)

Monty Solomon <monty@roscom.com>
Sun, 5 Oct 2014 00:36:07 -0400
Matthew Goldstein, Nicole Perlroth and David E. Sanger, *The New York Times*,
3 Oct 2014

The huge cyberattack on JPMorgan Chase that touched more than 83 million
households and businesses was one of the most serious computer intrusions
into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern
government and industry officials. Also troubling is that about nine other
financial institutions - a number that has not been previously reported -
were also infiltrated by the same group of overseas hackers, according to
people briefed on the matter. The hackers are thought to be operating from
Russia and appear to have at least loose connections with officials of the
Russian government, the people briefed on the matter said. ...
http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/

Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, NYT, 2 Oct 2014
JPMorgan Chase Hacking Affects 76 Million Households
Hackers' Attack Cracked 10 Financial Firms in Major Assault
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/

Ways to Protect Yourself After the JPMorgan Hacking
Tara Siegel Bernard, *The New York Times*, 3 Oct 2014
http://www.nytimes.com/2014/10/04/your-money/jpmorgan-chase-hack-ways-to-protect-yourself.html


Cyberattack on JPMorgan Raises Alarms at White House and on Wall Strete

Monty Solomon <monty@roscom.com>
Wed, 8 Oct 2014 19:55:48 -0400
Other financial institutions—Citigroup, E*Trade Financial and HSBC --
found that one of the same web addresses used to penetrate JPMorgan had
tried to get into their systems.

http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/


The Unpatchable Malware That Infects USBs Is Now on the Loose (Andy Greenberg)

Monty Solomon <monty@roscom.com>
Sat, 4 Oct 2014 23:35:31 -0400
Andy Greenberg, *WiReD*, 2 Oct 2014

It's been just two months since researcher Karsten Nohl demonstrated an
attack he called BadUSB to a standing-room-only crowd at the Black Hat
security conference in Las Vegas, showing that it's possible to corrupt any
USB device with insidious, undetectable malware. Given the severity of that
security problem-and the lack of any easy patch-Nohl has held back on
releasing the code he used to pull off the attack. But at least two of
Nohl's fellow researchers aren't waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last
week, researchers Adam Caudill and Brandon Wilson showed that they've
reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some
of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published
the code for those attacks on Github, raising the stakes for USB makers to
either fix the problem or leave hundreds of millions of users vulnerable. ...

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/


ComputerCOP: dubious "Internet Safety Software" given to US families

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Oct 2014 08:32:48 -0700
Ars via NNSquad
http://arstechnica.com/tech-policy/2014/10/computercop-the-dubious-internet-safety-software-given-to-families-nationwide/

  Police chiefs, sheriffs, and district attorneys have handed out hundreds
  of thousands of copies of the disc to parents for free at schools,
  libraries, and community events, usually as a part of an "Internet Safety"
  outreach initiative. (You can see the long list of ComputerCOP outlets
  here.) The packaging typically features the agency's official seal and the
  chief's portrait, with a signed message warning of the "dark and dangerous
  off-ramps" of the Internet.  As official as it looks, ComputerCOP is
  actually just spyware, generally bought in bulk from a New York company
  that appears to do nothing but market this software to local government
  agencies using shady information.  The way ComputerCOP works is neither
  safe nor secure. It isn't particularly effective either, except for
  generating positive PR for the law enforcement agencies distributing
  it. As security software goes, we observed a product with a
  keystroke-capturing function, also called a "keylogger," that could place
  a family's personal information at extreme risk by transmitting those
  keystoke logs over the Internet to third-party servers without
  encryption. That means many versions of ComputerCOP leave children (and
  their parents, guests, friends, and anyone using the affected computer)
  exposed to the same predators, identity thieves, and bullies that police
  claim the software protects against.  Furthermore, by providing a free
  keylogging program--software that operates without even the most basic
  security safeguards--law enforcement agencies are passing around what
  amounts to a spying tool that could easily be abused by people who want to
  snoop on spouses, roommates, or co-workers.


iOS 8.1 plugs security hole that made it easy to install emulators (Kyle Orland)

Monty Solomon <monty@roscom.com>
Thu, 9 Oct 2014 00:21:14 -0400
Kyle Orland, Ars Technica, 8 Oct 2014
"Date trick" workaround allowed for unapproved apps without jailbreaking.
http://arstechnica.com/gaming/2014/10/ios-8-1-plugs-security-hole-that-made-it-easy-to-install-emulators/


"Cisco, Oracle find dozens of their products affected by Shellshock" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 02 Oct 2014 15:33:58 -0700
Lucian Constantin, Infoworld, 30 Sep 2014
Cisco, Oracle find dozens of their products affected by Shellshock
Cisco has identified 71 products vulnerable to Shellshock and Oracle
51, but the number is likely to increase
http://www.infoworld.com/article/2689356/security/cisco-oracle-find-dozens-of-their-products-affected-by-shellshock.html


"Mayhem malware spreads through Linux servers via Shellshock exploits" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 14 Oct 2014 11:53:44 -0700
Lucian Constantin, Infoworld, 10 Oct 2014
The botnet targets Web servers that haven't been patched for recent
vulnerabilities found in the Bash Linux shell
http://www.infoworld.com/article/2824494/security/mayhem-malware-spreads-through-linux-servers-via-shellshock-exploits.html


Re: Bug in Bash shell creates big security hole on anything with *nix in it (Weinstein, RISKS-28.29)

Brett Mahar <brett@coiloptic.org>
Wed, 1 Oct 2014 13:37:03 +1000
Not on OpenBSD, bash is not the shell, unless manually installed and
configured to be. Also, all network facing services are installed in chroot
by default, so even if bash was the made the default shell it would be
inaccessible.


Samsung printer sniffers (via Dave Farber)

David Lesher <wb8foz@panix.com>
Oct 3, 2014 6:10 PM
I was planning on spec'ing a quantity of Samsung printers for a client. We
bought a sample. The Mac driver installed OK, but the Windows one had a very
disturbing message during installation: Samsung was going to sniff the
printer's output, to {of course} better serve the customer. [I paraphrase
slightly....]

Needless to say, I was far from pleased. I tried to disallow same during the
installation, but got no confirmation that it happened.

{I can guess Samsung does not sell many printers to either Ft. Meade or
Langley.}

I've tried to reach someone at Samsung's printer division but got nowhere;
Support does not see it as their potato, and Sales's voicemail said they
will call me Back Real Soon Now.


Twitter Sues U.S. Government Over Data Disclosure Rules

Monty Solomon <monty@roscom.com>
Tue, 7 Oct 2014 18:12:58 -0400
The social media giant wants to loosen restrictions on what it is allowed to
tell users about government information requests.

http://bits.blogs.nytimes.com/2014/10/07/twitter-sues-u-s-government-over-data-disclosure-rules/


Dozens of European ATMs rooted, allowing criminals to easily cash out (Robert Lemos)

Monty Solomon <monty@roscom.com>
Wed, 8 Oct 2014 09:00:58 -0400
Robert Lemos, Ars Technica, 7 Oct 2014
Criminals with physical access to ATMs install malware to control flow of money.

Criminals are installing fairly sophisticated malicious programs on banks'
ATMs, allowing them to control access to the machines and easily steal cash,
security firms Kaspersky and Interpol said in a joint statement released on
Tuesday. ...

http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-criminals-to-easily-cash-out/


Using new Corvette's valet-recording tech could be a felony in some states (Megan Geuss)

Monty Solomon <monty@roscom.com>
Wed, 8 Oct 2014 09:08:15 -0400
Megan Geuss, Ars Technica, 26 Sep 2014
GM is sending updated software to make Valet Mode less legally questionable.

http://arstechnica.com/tech-policy/2014/09/new-corvettes-valet-recording-tech-could-be-a-felony-in-12-states/


"The Dark Market for Personal Data" (Frank Pasquale)

Marc Rotenberg <rotenberg@epic.org>
Thu, 16 Oct 2014 21:00:43 -0400
Frank Pasquale, *The New York Times* op-ed, 16 Oct 2014
http://www.nytimes.com/2014/10/17/opinion/the-dark-market-for-personal-data.html

The reputation business is exploding. Having eroded privacy for decades,
shady, poorly regulated data miners, brokers and resellers have now taken
creepy classification to a whole new level.  They have created lists of
victims of sexual assault, and lists of people with sexually transmitted
diseases. Lists of people who have Alzheimer's, dementia and AIDS. Lists of
the impotent and the depressed.

There are lists of impulse buyers. Lists of suckers: gullible consumers who
have shown that they are susceptible to vulnerability-based marketing.  And
lists of those deemed commercially undesirable because they live in or near
trailer parks or nursing homes. Not to mention lists of people who have been
accused of wrongdoing, even if they were not charged or convicted.

Typically sold at a few cents per name, the lists don't have to be
particularly reliable to attract eager buyers—mostly marketers, but also,
increasingly, financial institutions vetting customers to guard against
fraud, and employers screening potential hires.

There are three problems with these lists. First, they are often
inaccurate. For example, as The Washington Post reported, an Arkansas woman
found her credit history and job prospects wrecked after she was mistakenly
listed as a methamphetamine dealer. It took her years to clear her name and
find a job.

Second, even when the information is accurate, many of the lists have no
business being in the hands of retailers, bosses or banks. Having a medical
condition, or having been a victim of a crime, is simply not relevant to
most employment or credit decisions.

Third, people aren't told they are on these lists, so they have no
opportunity to correct bad information. The Arkansas woman found out about
the inaccurate report only when she was denied a job. She was one of the
rare ones.  [...]

Frank Pasquale, a professor of law at the University of Maryland, is the
author of the forthcoming book,T he Black Box Society: The Secret Algorithms
That Control Money and Information.


"Patent trolls have one fewer legal loophole to hide behind" (Simon Phipps)

Gene Wirchenko <genew@telus.net>
Fri, 17 Oct 2014 14:33:51 -0700
      It is nice to see the patent trolls having risks.

Simon Phipps, InfoWorld | 16 Oct 2014
With one subtle stroke, the Judicial Conference of the United States
retires an old rule—and denies patent trolls a major weapon
http://www.infoworld.com/article/2834542/patents/rule-change-hits-trolls.html


The "he said, she said" of how the FBI found Silk Road's servers

Monty Solomon <monty@roscom.com>
Fri, 3 Oct 2014 16:43:38 -0400
http://arstechnica.com/tech-policy/2014/10/the-he-said-she-said-of-how-the-fbi-found-silk-roads-servers/


New York City orders Bluetooth beacons in pay phones to come down

Monty Solomon <monty@roscom.com>
Tue, 7 Oct 2014 10:28:58 -0400
http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacons-in-pay-phones-to-come-down/


Seeing where the last taxi passenger went

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sun, 12 Oct 2014 08:31:45 -0400
On a recent ride from Washington Dulles airport (IAD) to my home in the
Virginia suburbs, the cab had an Android tablet mounted to the back of the
front-seat passenger seat, running an app that allowed you to see the
weather, driver information, etc.  But the most interesting thing was that
it allowed you to enter your destination in Google Maps, which is useful for
drivers who may not know the area and/or whose English isn't the best.

A tool like this could be particularly useful if it allowed input in
multiple languages—i.e., allow a Japanese visitor to enter their
destination in Japanese; similarly if such a thing were in a taxi in Japan,
it would be useful to allow an English-speaking visitor to enter their
destination in English.  [Perhaps such things already exist; I haven't seen
one.]

However, the part that gave me slight pause was that in the destination
field, I could see the most recent half dozen destinations that cab had
gone, and there was no (obvious) way to clear destinations if I entered
mine.

At one level, this isn't a big deal—if the cab had been on the street,
then the most recent destination was presumably near where I got it.  On the
other hand, if the driver was being dispatched, the recent destinations
might be places where the driver had recently picked up passengers, and
hence likely empty homes.

One could also hypothesize interesting things one might learn—if one sees
a politician getting out of a cab, one might be interested in where he/she
was coming from - i.e., from a lobbyist's office or a secret lover's
hideaway.

But all this depends on getting just the right timing - finding the right
person coming out of the cab, and getting in before another passenger.

Overall, I think the risk is low, but it might be surprising to taxi
customers that a future customer can find out where they went.


JPMorgan Discovers Further Cyber Security Issues

Monty Solomon <monty@roscom.com>
Thu, 2 Oct 2014 17:07:10 -0400
The nation's largest bank recently found that hackers had gained entry to
some of its servers, say several people with knowledge of the investigation.
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/


7 million Dropbox username/password pairs apparently leaked

Lauren Weinstein <lauren@vortex.com>
Mon, 13 Oct 2014 21:20:31 -0700
Ars via NNSquad

http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/

  "Popular online locker service Dropbox appears to have been hacked. A
  series of posts have been made to Pastebin purporting to contain login
  credentials for hundreds of Dropbox accounts, with the poster claiming
  that altogether 6,937,081 account credentials have been compromised.
  Reddit users who have tested some of the leaked credentials have confirmed
  that at least some of them work. Dropbox seems to have bulk reset all the
  accounts listed in the Pastebin postings, though thus far other accounts
  do not appear to have had their passwords reset.  The hackers claim that
  they will release more username/password pairs if they receive donations
  to their bitcoin address."

It's like damned "Groundhog Day" ...

LATER Update: Dropbox is saying that this is not a hack per se, but rather a
cross-site shared password attack—which of course can still cause
a lot of problems if you share your passwords between services and don't
have 2-factor authentication enabled.  [NNSquad]


Russia's Sandworm Hack Spying on Foreign Governments for Years

Lauren Weinstein <lauren@vortex.com>
Mon, 13 Oct 2014 21:27:35 -0700
Wired via NNSquad
http://www.wired.com/2014/10/russian-sandworm-hack-isight/

  "A cyberespionage campaign believed to be based in Russia has been
  targeting government leaders and institutions for nearly five years,
  according to researchers with iSight Partners who have examined code used
  in the attacks.  The campaign, dubbed "Sandworm" is believed to have been
  running since 2009, and used a wide-reaching zero-day exploit uncovered by
  the researchers that affects nearly every version of the Windows operating
  system released since Windows Vista."

    [Also noted by Bob Gezelter]
http://www.isightpartners.com/2014/10/cve-2014-4114/

- Bob Gezelter, http://www.rlgsc.com


Google report on EU "right to be forgotten" requests

Lauren Weinstein <lauren@vortex.com>
Fri, 10 Oct 2014 11:46:52 -0700
Google via NNSquad
http://www.google.com/transparencyreport/removals/europeprivacy/

European privacy requests for search removals. // Total URLs that Google has
evaluated for removal: 497,695 URLs // Total requests Google has received:
144,954 requests // 41.8% removal approval rate.


This POODLE bites: exploiting the SSL 3.0 fallback

Lauren Weinstein <lauren@vortex.com>
Tue, 14 Oct 2014 17:58:06 -0700
Google via NNSquad
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html

  "Today we are publishing details of a vulnerability in the design of SSL
  version 3.0. This vulnerability allows the plaintext of secure connections
  to be calculated by a network attacker. I discovered this issue in
  collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).  SSL
  3.0 is nearly 15 years old, but support for it remains widespread. Most
  importantly, nearly all browsers support it and, in order to work around
  bugs in HTTPS servers, browsers will retry failed connections with older
  protocol versions, including SSL 3.0. Because a network attacker can cause
  connection failures, they can trigger the use of SSL 3.0 and then exploit
  this issue."

    [See also Kim Zetter, *WiReD*, 14 Oct 2014
     <http://www.wired.com/2014/10/poodle-explained/> ]


Re: Firedrive and Cloudflare

Jay Grizzard <elfchief@lupine.org>
Fri, 24 Oct 2014 08:11:07 -0700
The recent firedrive.com outage has triggered several messages to RISKS that
have pointed a finger at Cloudflare as a culpable party, because the IP
address for firedrive.com matches IP addresses also owned by
Cloudflare. While the latter is true (firedrive.com is in Cloudflare's IP
space), this does not actually imply Cloudflare involvement, complacency, or
responsibility.

Cloudflare is a Content Distribution Network (CDN). Basically, this means
that they host no data at all—they sell distribution services, much the
same way a phone company does (though a better analogue might be an
answering service). Companies (like Firedrive) pay Cloudflare to proxy
incoming traffic for them, and cache the parts of that data that can be
cached, as a way to offload traffic from their own servers, and make their
websites more responsive to their users.

Blaming Cloudflare, in this case, is like blaming an answering service
because your doctor's office isn't picking up their phone. No matter how
much you beg, the answering service can't help you with that funny looking
mole you just discovered—all they can do is pass on your requests, and
hope that your doctor responds.

Cloudflare is just an intermediary here.

The real risk (beyond the mis-attribution of problems) is the continued
belief that "the cloud" is some kind of magic sauce that relieves you of
responsibility for the safety of your data (i.e. keeping backups). Any given
cloud provider is a place you can store data, but cloud providers can fail,
just like physical media can. Storing your important data on a single cloud
provider is akin to storing your important data on a single hard drive. You
/probably/ won't have a failure that causes you to lose data, but cloud
providers (like hard drives) are fallible, and I seriously doubt that this
will be the last major failure of a cloud storage company.


Re: Firedrive has gone down taking millions of files with it (Brady, RISKS-28.30)

Henry Baker <hbaker1@pipeline.com>
Fri, 24 Oct 2014 06:12:31 -0700
Two words: "Erasure Code":

http://en.wikipedia.org/wiki/Erasure_code

"In information theory, an erasure code is a forward error correction (FEC)
code for the binary erasure channel, which transforms a message of k symbols
into a longer message (code word) with n symbols such that the original
message can be recovered from a subset of the n symbols"

Aka RAIC—Redundant Array of Independent Clouds

Please report problems with the web pages to the maintainer

Top