The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 65

Tuesday 25 May 2015

Contents

The atrocious security of Trident nuclear subs
Henry Baker
Amtrak, After Derailment, Told to Expand Automatic Brake Use
NYTimes via Monty Solomon
A world ripe for the picking / Diploma mill edition
NYTimes via Bob Frankston
Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions
more
Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh at Its Expense
more
Text of Axact's Response to The New York Times
more
Net Neutrality
Melissa Silmore via Dewayne Hendricks
John Deere: of course you "own" your tractor, but only if you agree to let ...
Gabe Goldberg
Inside Google's Secret War Against Ad Fraud
Adage
Risks of online test taking
Jeremy Epstein
Secret files reveal police feared that Trekkies could turn on society
Elizabeth Roberts via Henry Baker
HTTPS-crippling attack threatens ten thousands of Web and mail servers
Ars Technica
Paranoid defence controls could criminalise teaching encryption
The Conversation
US proposes tighter export rules for computer security tools
Jeremy Kirk via Richard Forno
Africa's Worst New Internet Censorship Law Could be Coming to S.A.
EFF
"The Venom vulnerability: Little details bite back"
Paul Venezia
Only 3% of people aced Intel's phishing quiz
Jeff Jedras
URL-spoofing bug in Safari could enable phishing attacks
Lucian Constantin
New LogJam encryption flaw puts Web surfers at risk"
Jeremy Kirk
Critical vulnerability in NetUSB driver exposes millions of routers to hacking
Lucian Constantin
The Body Cam Hacker Who Schooled the Police
Medium
Cybersecurity letter to the President 19-May-2015
John Denker
Is security really stuck in the Dark Ages?
Network World
Adult dating site hack exposes millions of users
Geoff White via Henry Baker
Man tries to report Starbucks vulnerability, is accused of fraud
Sakurity
A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
NYTimes
Some People Do More Than Text While Driving
NYTimes
Re: Drug database: third-party doctrine
Harlan Rosenthal
Re: All cars must have tracking devices
Chris Drewe
Re: Banned Researcher Commandeered a Plane
Erling Kristiansen
Info on RISKS (comp.risks)

The atrocious security of Trident nuclear subs

Henry Baker <hbaker1@pipeline.com>
Mon, 18 May 2015 05:18:07 -0700
While the TSA fondly fondles all of us prior to getting on a commercial
airplane flight, the security of a British Trident nuclear submarine is less
than that of a posh nightclub!

"It's harder to get into most nightclubs than it is to get into the Green
Area.  There's still the pin code system to get through the gate!  Oh wait,
No there's not, it's broke, and anyone standing there that has thrown their
security pass in or *not*, will get buzzed through.  If you have a Green
area pass or any old green card you can just show it to them from about 3
metres away (if the boat's on the first berths; if not 1 metre) then get
Buzzed Through!!"

"Missile Compartment 4 deck turns into a gym.  There are people sweating
their asses of [sic] between the missiles, people rowing between a blanket
of s**t because the sewage system is defective, sometimes the s**t sprays
onto the fwd starboard missile tubes and there's also a lot of rubbish
stored near the missile tubes."

"There were a few incidents of people in the gym dropping weights near the
nuclear weapon's firing units.  I heard one person joke about how he
accidentally throw a weight and it nearly hit a missiles firing unit."

"I sent this report on the 05/05/15 to every major newspaper, freelance
journalists, and whistle-blower I could find.  It is now the 12/05/15.  I've
had one email reply;"

http://www.theguardian.com/uk-news/2015/may/18/navy-whistleblower-on-run-alleged-trident-safety-failings

ALSO:

Navy whistleblower on the run after exposing alleged Trident safety failings

MoD launches investigation into claims of Able Seaman William McNeilly, who
says he will hand himself into police.

Josh Halliday

Monday 18 May 2015 09.18 BST Last modified on Monday 18 May 2015 12.15 BST

A Royal Navy submariner who blew the whistle on a catalogue of alleged
security failings around the Trident nuclear programme has said he will hand
himself in to police.

http://cryptome.org/2015/05/william-mcneilly.pdf

Able Seaman William McNeilly, 25, a newly qualified engineer, claimed that
Britain's nuclear deterrent was a “disaster waiting to happen'' in a report
detailing 30 alleged safety and security breaches, including a collision
between HMS Vanguard and a French submarine during which a senior officer
thought: “We're all going to die.''

McNeilly wrote that a chronic manpower shortage meant that it was “a matter
of time before we're infiltrated by a psychopath or a terrorist; with this
amount of people getting pushed through.''

The police and Royal Navy launched a hunt for the whistleblower after he failed to report back for work last week at the Faslane submarine base on the Clyde.  But on Monday morning McNeilly said he would hand himself over to the authorities despite facing a possible prosecution under the Official Secrets Act 1989.

Speaking to the BBC, he said: “I'm not hiding from arrest; I will be back
in the UK in the next few days and I will hand myself in to the police.
Prison—such a nice reward for sacrificing everything to warn the public
and government.  Unfortunately that's the world we live in.  I know it's a
lot to sacrifice and it is a hard road to walk down, but other people need
to start coming forward.''

In the 19-page report, titled The Secret Nuclear Threat, published online
alongside a picture of his UK passport and Royal Navy identity card,
McNeilly said he wanted “to break down the false images of a perfect
system that most people envisage exists.''

He described bags going unchecked and said it was “harder getting into
most nightclubs'' than into control rooms, with broken pin code systems
and guards failing to check passes.  “All it takes is someone to bring a
bomb on board to commit the worst terrorist attack the UK and the world has
ever seen,'' he wrote.

McNeilly, who said he was on patrol with HMS Victorious from January to
April, accused Royal Navy bosses of covering up a collision between HMS
Vanguard and a French submarine in the Atlantic Ocean in February 2009.

At the time Ministry of Defence officials played down the incident and said
the Vanguard had suffered only `scrapes'.  But McNeilly said a Royal
Navy chief who was on board at the time told him afterwards: “We thought,
this is it—we're all going to die.''

The more senior submariner allegedly told McNeilly that the French vessel
“took a massive chunk out of the front of HMS Vanguard'' and grazed the
side of the boat.  Bottles of high-pressured air came loose in the
collision, he claimed, meaning the Royal Navy submarine had to return slowly
to Faslane to prevent them from exploding.

He also raised concerns about a number of his fellow seamen, including one
whose hobbies he claimed were killing small animals and watching extreme
pornography.  Another submariner, whom he named only as Pole, had threatened
to kill two fellow navy personnel and was routinely aggressive, McNeilly
claimed.

He described how HMS Vanguard's missile compartment doubled up as a gym,
leading to potentially disastrous mishaps when seamen dropped weights near
the boat's missile firing system.

McNeilly said he raised these and other concerns through the chain of
command on multiple occasions, but that “not once did someone even
attempt to make a change.''  [Long item truncated for RISKS.  PGN]


Amtrak, After Derailment, Told to Expand Automatic Brake Use

Monty Solomon <monty@roscom.com>
Sat, 16 May 2015 17:10:28 -0400
The Federal Railroad Administration said it had ordered the railroad to make
more use of technology that can automatically stop speeding trains.

http://www.nytimes.com/2015/05/17/us/federal-railroad-administration-orders-amtrak-to-expand-automatic-braking.html


A world ripe for the picking / Diploma mill edition

"Bob Frankston" <bob19-0501@bobf.frankston.com>
18 May 2015 09:52:13 -0400
http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html

Leveraging the use of unvetted sources for vetting. After all, if we can't
trust LinkedIn what we can trust? And now that the topology of social
relationships doesn't correspond to the topology of legal obligations the
world is ripe for the picking.


Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions

Monty Solomon <monty@roscom.com>
Sun, 17 May 2015 22:05:55 -0400
  [More on Frankston's item follows.  PGN]

Seen from the Internet, it is a vast education empire: hundreds of
universities and high schools, with elegant names and smiling professors at
sun-dappled American campuses.

Their websites, glossy and assured, offer online degrees in dozens of
disciplines, like nursing and civil engineering. There are glowing
endorsements on the CNN iReport website, enthusiastic video testimonials,
and State Department authentication certificates bearing the signature of
Secretary of State John Kerry.

http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html

Below is a partial list of sites analyzed by The New York Times and
determined most likely to be linked to Axact's operation in Karachi,
Pakistan.

http://www.nytimes.com/2015/05/17/world/asia/tracking-axacts-websites.html


Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh at Its Expense

Monty Solomon <monty@roscom.com>
Tue, 19 May 2015 04:44:24 -0400
The Pakistani company Axact threatened to sue a local blog, Pak Tea House,
merely for rounding up Twitter reaction to an expose'.

http://www.nytimes.com/2015/05/19/world/asia/axact-fake-diploma-company-threatens-pakistani-bloggers-who-laugh-at-its-expense.html


Text of Axact's Response to The New York Times

Monty Solomon <monty@roscom.com>
Tue, 19 May 2015 09:48:32 -0400
Text of Axact's Response to *The New York Times*
http://www.nytimes.com/2015/05/19/world/asia/text-of-axact-response-to-the-new-york-times.html

The Pakistani company Axact condemned a New York Times article that asserted
the company had reaped millions by selling fake diplomas.


Net Neutrality (Melissa Silmore)

"Hendricks Dewayne" <dewayne@warpspeed.com>
May 19, 2015 5:58 AM
  [Note:  This item comes from Dave Farber's IP List.  DLH]

Melissa Silmore, Net Neutrality, May 2015 Issue
http://www.carnegiemellontoday.com/issues/may-2015-issue/feature-stories/net-neutrality/

Douglas Sicker was relaxing at home in Boulder, Colo., late on a summer
evening. It had been a busy day, and he was happy to settle down to watch
some HBO, ready for a few laughs. The computer science professor had led a
meeting of network engineers earlier in the day, followed by drinks with
the group. Afterwards, while the out-of-towners returned to their hotels,
he headed home.

On his screen, a clean-cut British comedian sat smiling, hands clasped atop
his desk, wearing a crisp blue shirt, burgundy tie, and sport coat. The
segment began unassumingly but quickly gathered steam; a 13-minute hilarious
and blistering rant, punctuated by photos, graphs, and laughter.  On that
first Sunday in June 2014, John Oliver, host of HBO's Last Week Tonight,
managed the impossible. He transformed a technical, eye-glazing debate into
a pop-culture topic.

Net neutrality, Oliver began, “two words that promise—boredom,'' he said
while a stupefyingly monotonous CSPAN hearing played above his head.  “The
cable companies have figured out the great truth of America. If you want to
do something evil, put it inside something boring.''

“Net neutrality essentially means that all data has to be treated equally,''
Oliver went on, as the show played a news clip announcing that the Federal
Communications Commission (FCC) was opening the door for a two-tiered
system where giant internet service providers (ISPs), such as Comcast and
Verizon, could charge to send content more quickly. It would allow “big
companies to buy their way into the fast lane, leaving everyone else in the
slow lane,'' he asserted.

As Oliver continued his witty entreaty for net neutrality, Sicker's ears
 perked up. The FCC's Chief Technology Officer in 2010-11, and previously
 senior advisor on the FCC's 2010 National Broadband Plan, was more than
 mildly interested.

Amid the one-liners, Oliver displayed a line graph of Netflix's download
speeds falling during a very public spat with Comcast, then pointed out the
rapid improvement when terms were settled. “That has all the ingredients of
a mob shakedown,'' he declared.

Ranting on about the cozy relationship the cable industry enjoys with
government, Oliver homed in on President Barack Obama's appointment of FCC
Chair Tom Wheeler. “The guy who used to run the cable industry's lobbying
arm is now running the agency tasked with its regulation. That's the
equivalent of needing a babysitter and hiring a dingo!'' he exclaimed, below
a photo of a wolf-like creature leering over a baby. He even pictured
Comcast's chief executive officer in a metal top hat and car—pointedly
perched on a Monopoly game board.

The pinnacle of the bit came at the end. With ceremonial music rising in the
background, Oliver stood and addressed the hordes of internet commenters, as
the web address for the FCC site loomed large onscreen.  “Good evening,
monsters,'' he exhorted, “we need you to get out there and focus your
indiscriminate rage in a useful direction. ... Turn on caps lock and fly my
pretties. Fly! Fly!'' he screamed, as the credits began to roll.

Sicker was just one of a million viewers tuned in that evening (YouTube
views are now nearly 9 million) as were many of Sicker's colleagues from
the telecom sector. “The next day, everyone was sharing links to that
clip,'' he recalls. “People could not stop talking about it.''

That same day, the FCC comment site shut down, evidently flooded. Comments
eventually reached nearly 4 million. Those 13 minutes of razor-tongued
entertainment had galvanized the public to a new issue that has, in
reality, been under debate for more than a decade. [...]


John Deere: of course you "own" your tractor, but only if you agree to let ...

Gabe Goldberg <gabe@gabegold.com>
Tue, 19 May 2015 15:32:20 -0400
http://boingboing.net/2015/05/13/john-deere-of-course-you-ow.html

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Inside Google's Secret War Against Ad Fraud (Adage)

Lauren Weinstein <lauren@vortex.com>
Tue, 19 May 2015 12:30:19 -0700
http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/

  "Sasha is a member of Google's secretive antifraud team. The unit,
  numbering more than 100, is locked in a war against an unknown quantity of
  cybercriminals who are actively siphoning billions of dollars out of the
  digital advertising industry, primarily via the creation of robotic
  traffic that appears human. Mysterious to many even within Google, the
  group has never spoken to an outsider about the way it hunts botnets, let
  alone allowed someone into its offices to observe the process. But that
  silence ended the moment Sasha opened his computer."

That's "Secret" ...


Risks of online test taking

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 21 May 2015 08:01:26 +0300
Following is an excerpt from an e-mail I received from Fairfax County Public
Schools (Fairfax VA, near Washington DC).  Relying on internet connectivity
without a backup plan, for a high stakes test - what could possibly go
wrong?  [Standards of Learning are a set of state-wide standardized tests
taken by all elementary, middle school, and high school students.]

-----

  [May 19] at approximately 12:30 p.m., Pearson Education, Inc., the company
  which provides the computer delivery system for Virginia's online
  Standards of Learning (SOL) tests, experienced an interruption in Internet
  connectivity.  The 90-minute service interruption today affected FCPS test
  sites along with other school divisions throughout Virginia.

  Students who had already begun testing before the interruption of Internet
  service were not impacted.  However, some students were unable to log on
  to the system to take scheduled SOL tests and other students received
  error messages when they tried to log off after completing tests.  As a
  result, some students had to wait in the test environment after they
  completed their tests until connectivity was restored and they were able
  to submit the tests.

  The FCPS Office of Student Testing is working with schools to ensure that
  all tests were submitted properly following the interruption.  At this
  time, we do not anticipate that any student responses on tests that were
  submitted were lost.

  In some cases, students started tests but, due to the interruption, were
  unable to finish before the end of the school day; tests for these
  students will need to be rescheduled.  Some schools may have canceled SOL
  testing because of the interruption and will notify students and families
  when today;s SOL tests will be rescheduled.


Secret files reveal police feared that Trekkies could turn on society (Elizabeth Roberts)

Henry Baker <hbaker1@pipeline.com>
Thu, 21 May 2015 06:55:51 -0700
FYI—I had to check the date on this article several times to convince
myself it wasn't April 1st.  Beware Terrorist Trekkies!!!
No wonder TSA keeps checking my ears...

Elizabeth Roberts, *The Telegraph*, 17 May 2015
http://www.telegraph.co.uk/news/uknews/11611086/Secret-files-reveal-police-feared-that-Trekkies-could-turn-on-society.html

Scotland Yard kept a secret dossier on Star Trek and the X-Files in the run
up to the millennium amid security concerns trekkies at a convention.  For
years Star Trek fans—known as Trekkies—have been the butt of jokes
about their penchant for wearing pointy ears and attending science fiction
conventions.  But the police feared British fans of the cult American show
might boldly go a little too far one day.

It has emerged that Scotland Yard kept a secret dossier on Star Trek, The
X-Files, and other US sci fi shows amid fears that British fans would go mad
and kill themselves, turn against society or start a weird cult.
The American TV shows Roswell and Dark Skies and the film The Lawnmower Man
were also monitored to protect the country from rioting and cyber attacks.
Special Branch was concerned that people hooked on such material could go
into a frenzy triggered by the millennium leading to anarchy.

An undated confidential report to the Metropolitan Police, thought to have
been filed around 1998-99, listed concerns about conspiracy theorists who
believed the end of the world was nigh.

“Fuel is added to the fire by television dramas and feature films mostly
produced in America.  These draw together the various strands of religion,
UFOs, conspiracies, and mystic events and put them in an entertaining
storyline.''

The report added: "Obviously this is not sinister in itself, what is of
concern is the devotion certain groups and individuals ascribe to the
contents of these programmes."

The dossier—called UFO New Religious Movements and the Millennium—was
drawn up in response to the 1997 mass suicide by 39 cultists in San Diego
known as Heaven's Gate.  The group members were "ardent followers of The
X-Files and Star Trek" according to Special Branch.  [...]


HTTPS-crippling attack threatens ten thousands of Web and mail servers (Ars via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Tue, 19 May 2015 23:11:18 -0700
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

   The vulnerability affects an estimated 8.4 percent of the top one million
   websites and a slightly bigger percentage of mail servers populating the
   IPv4 address space, the researchers said. The threat stems from a flaw in
   the transport layer security protocol that websites and mail servers use
   to establish encrypted connections with end-users. The new attack, which
   its creators have dubbed Logjam, can be exploited against a subset of
   servers that support the widely used Diffie-Hellman key exchange, which
   allows two parties that have never met before to negotiate a secret key
   even though they're communicating over an unsecured, public channel.


Paranoid defence controls could criminalise teaching encryption ((via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Wed, 20 May 2015 07:56:15 -0700
http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238

  You might not think that an academic computer science course could be
  classified as an export of military technology. But under the Defence
  Trade Controls Act - which passed into law in April, and will come into
  force next year - there is a real possibility that even seemingly
  innocuous educational and research activities could fall foul of
  Australian defence export control laws.


US proposes tighter export rules for computer security tools (Jeremy Kirk)

"Richard Forno" <rforno@infowarrior.org>
May 21, 2015 12:00 PM
Jeremy Kirk, IT World, 20 May 2015 (link to the proposal is in the article.)
http://www.itworld.com/article/2925375/security/us-proposes-tighter-export-rules-for-computer-security-tools.html

The U.S. Commerce Department has proposed tighter export rules for computer
security tools, a potentially controversial revision to an international
agreement aimed at controlling weapons technology.

On Wednesday, the department published a proposal in the Federal Register
and opened a two-month comment period.

The changes are proposed to the Wassenaar Arrangement, an international
agreement reached in 1995, aimed at limiting the spread of “dual use''
technologies that could be used for harm.

Forty-one countries participate in the Wassenaar Arrangement, and lists of
controlled items are revised annually.

The Commerce Department's Bureau of Industry and Security (BIS) is
proposing requiring a license in order to export certain cybersecurity
tools used for penetrating systems and analyzing network communications.

If asked by the BIS, those applying for a license “must include a copy of
the sections of source code and other software (e.g., libraries and header
files) that implement or invoke the controlled cybersecurity functionality.

Items destined for export to government users in Australia, Canada, New
Zealand or the U.K.—the so-called “Five Eyes'' nations which the U.S.
belongs to—would be subject to looser restrictions. Those nations'
intelligence agencies collaborate closely.

The proposal would modify rules added to the Wassenaar Arrangement in 2013
that limit the export of technologies related to intrusion and traffic
inspection.

The definition of intrusion software would also encompass “proprietary
research on the vulnerabilities and exploitation of computers and
network-capable devices,'' the proposal said.

Tools that would not be considered intrusion software include hypervisors,
debuggers and ones used for reverse engineering software.

There has long been concern that software tools in the wrong hands could
cause harm. But security professionals who conduct security tests of
organizations often employ the same software tools as those used by
attackers.

Thomas Rid, a professor in the Department of War Studies at King's College
London, wrote on Twitter that the proposed export regulations “seem too
broad; could even damage cybersecurity.''

Many private computer security companies sell information on software
vulnerabilities for commercial purposes, a practice that has been
criticized.

Those companies have defended their sales models, arguing that without a
financial incentive, the software vulnerabilities may not have been found,
which ultimately protects users. Many have policies that forbid selling
sensitive information to unvetted parties.

The proposal said there is a “policy of presumptive denial for items that
have or support rootkit or zero-day exploit capabilities.''

Rootkits are hard-to-detect programs used for electronically spying on a
computer, and a zero-day exploit is attack code that can take advantage of
a software flaw.

Changes to the list of controlled items covered by the Wassenaar Agreement
are decided by consensus at its annual plenary meeting in December.

[It's better to burn out than fade away.]


Africa's Worst New Internet Censorship Law Could be Coming to South Africa (EFF)

Lauren Weinstein <lauren@vortex.com>
Thu, 21 May 2015 10:33:51 -0700
https://www.eff.org/deeplinks/2015/05/africas-worst-new-internet-censorship-law-could-be-coming-south-africa

  Only once in a while does an Internet censorship law or regulation come
  along that is so audacious in its scope, so misguided in its premises, and
  so poorly thought out in its execution, that you have to check your
  calendar to make sure April 1 hasn't come around again. The Draft Online
  Regulation Policy recently issued by the Film and Publication Board (FPB)
  of South Africa is such a regulation. It's as if the fabled prude
  Mrs. Grundy had been brought forward from the 18th century, stumbled
  across hustler.com on her first excursion online, and promptly cobbled
  together a law to shut the Internet down. Yes, it's that bad.


"The Venom vulnerability: Little details bite back" (Paul Venezia)

Gene Wirchenko <genew@telus.net>
Fri, 22 May 2015 10:23:50 -0700
http://www.infoworld.com/article/2922315/virtualization/venom-security-vulnerability-little-details-bite-back.html
Paul Venezia, The Deep End, InfoWorld, 18 May 2015
Bad attacks rarely come through the front door—instead, the old
cracks let in the problems

selected text:

It's fittingly ironic that a vulnerability of this nature is vectored
through such an innocuous and fossilized function as a virtual floppy disk
driver; it's even more ironic that the bug in that code has existed since
2004.


Only 3% of people aced Intel's phishing quiz (Jeff Jedras)

Gene Wirchenko <genew@telus.net>
Fri, 22 May 2015 10:25:24 -0700
Jeff Jedras, IT Business, 15 May 2015
http://www.itbusiness.ca/news/only-three-per-cent-of-people-aced-intels-phishing-quiz/55685

opening text:

We probably think we're pretty savvy when it comes to identifying online
attacks and phishing emails, Intel Security put us to the test and found us
lacking: 97 per cent of respondents were unable to identify all the examples
of phishing in their email security quiz.


"URL-spoofing bug in Safari could enable phishing attacks" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 22 May 2015 10:27:58 -0700
Lucian Constantin, InfoWorld, 19 May 2015
Researcher develops code that can trick Safari into showing a
different URL in its address bar than the one currently loaded
http://www.infoworld.com/article/2923879/security/urlspoofing-bug-in-safari-could-enable-phishing-attacks.html

selected text:

The latest versions of Safari for Mac OS X and iOS are vulnerable to a
URL-spoofing exploit that could allow hackers to launch credible phishing
attacks.

The issue was discovered by security researcher David Leo, who published a
proof-of-concept exploit for it. Leo's demonstration consists of a Web page
hosted on his domain that, when opened in Safari, causes the browser to
display dailymail.co.uk in the address bar.

The ability to control the URL shown by the browser can, for example, be
used to easily convince users that they are on a bank's website when they
are actually on a phishing page designed to steal their financial
information.


"New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Fri, 22 May 2015 10:34:04 -0700
Jeremy Kirk, InfoWorld, 20 May 2015
http://www.infoworld.com/article/2924732/security/new-logjam-encryption-flaw-puts-web-surfers-at-risk.html
LogJam is closely related to the FREAK security vulnerability and
involves downgrading TLS connections to a weak key

selected text:

The flaw, called LogJam, can allow an attacker to significantly weaken the
encrypted connection between a user and a Web or email server, said Matthew
D. Green, an assistant research professor in the department of computer
science at Johns Hopkins University.


"Critical vulnerability in NetUSB driver exposes millions of routers to hacking" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 22 May 2015 10:37:31 -0700
Lucian Constantin, InfoWorld, 20 May 2015
Tens of routers and other embedded devices from various manufacturers
likely have the flaw, security researchers say
http://www.infoworld.com/article/2924187/security/critical-vulnerability-in-netusb-driver-exposes-millions-of-routers-to-hacking.html


The Body Cam Hacker Who Schooled the Police (Medium)

Lauren Weinstein <lauren@vortex.com>
Fri, 22 May 2015 10:57:42 -0700
https://medium.com/backchannel/the-body-cam-hacker-who-schooled-the-police-c046ff7f6f13

  Policies about where and when to turn cameras on, language to warn people
  who are being filmed, and limits on using the footage in investigations
  can address some of these concerns. But liberal public disclosure laws
  like Washington's leave a gaping loophole. How can police departments
  release videos to an eager public without invading the privacy of victims,
  patients and bystanders on some of the worst days of their lives?


Cybersecurity letter to the President 19-May-2015 (via Dave Farber)

John Denker <jsd@av8n.com>
May 20, 2015 at 12:29:54 AM EDT
[To:]
President Barack Obama
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

[...] We urge you to reject any proposal that U.S. companies deliberately
weaken the security of their products.  We request that the White House
instead focus on developing policies that will promote rather than undermine
the wide adoption of strong encryption technology.  Such policies will in
turn help to promote and protect cybersecurity, economic growth, and human
rights, both here and abroad.

[snip]

[approximately 150 signatories, including security experts and tech companies]

Full text at:
 https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf
 http://cdn.arstechnica.net/wp-content/uploads/2015/05/cryptoletter.pdf

Lots of news media have picked up on this, but distressingly few link to the
actual letter.  Maybe I'm old-fashioned, but I think primary sources are
important.

  [Also noted by Lauren Weinstein,
https://docs.google.com/document/d/1mX98l2Y05t_pV_gu_o_h4WezVajAXkca0NtZ7V9dQ_U/edit?hl=en&forcehl=1
  who added. “Not that it will likely make any difference in the final
  analysis regardless of who is President or in Congress, but hope springs
  eternal.''  PGN]


Is security really stuck in the Dark Ages? (Network World)

Lauren Weinstein <lauren@vortex.com>
Fri, 22 May 2015 21:27:06 -0700
http://www.networkworld.com/article/2925171/security0/is-security-really-stuck-in-the-dark-ages.html

  It had to be a bit of a jolt for more than 500 exhibitors and thousands of
  attendees at RSA Conference 2015 last month, all pushing, promoting and
  inspecting the latest and greatest in digital security technology: The
  theme of RSA President Amit Yoran's opening keynote was that they are all
  stuck in the Dark Ages.  [via NNSquad]


Adult dating site hack exposes millions of users

Henry Baker <hbaker1@pipeline.com>
Sat, 23 May 2015 07:37:36 -0700
Why should the FBI (Martin Luther King), the CIA (numerous Muslims) and the
NSA (LOVINT) have all the fun?  Now we can all be extorted by non-govt
criminals, too.  The honeyplot thickens...

Best LOL line of the article: "These sites are meant to be secure"

Geoff White, Channel4, 21 May 2015
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web

Hackers have struck one of the world's largest internet dating websites,
leaking the highly sensitive sexual information of almost four million users
onto the web.  The stolen data reveals the sexual preferences of users,
whether they're gay or straight, and even indicates which ones might be
seeking extramarital affairs.  In addition, the hackers have revealed email
addresses, usernames, dates of birth, postal codes and unique internet
addresses of users' computers.

Channel 4 News has been investigating the cyber underworld, discovering
which websites have been hacked and exposing the trade in personal
information of millions of people through so-called "dark web" sites.

Secretive forum

The investigation led to a secretive forum in which a hacker nicknamed
ROR[RG] posted the details of users of Adult FriendFinder.  The site boasts
63 million users worldwide and claims more than 7 million British members.
It bills itself as a "thriving sex community", and as a result users often
share sensitive sexual information when they sign up.

The information of 3.9m Adult FriendFinder members has been leaked,
including those who told the site to delete their accounts.

Shaun Harper is one of those whose details have been published.  "The site
seemed OK, but when I got into it I realised it wasn't really for me, I was
looking for something longer term.  But by that time I'd already given my
information.  You couldn't get into the site without handing over
information.

"I deleted my account, so I thought the information had gone.  These sites
are meant to be secure."

  [Long item truncated for RISKS.  PGN]


Man tries to report Starbucks vulnerability, is accused of fraud

Lauren Weinstein <lauren@vortex.com>
Sat, 23 May 2015 07:52:40 -0700
"The hardest part - responsible disclosure. Support guy honestly answered
there's absolutely no way to get in touch with technical department and he's
sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on
March 23 was futile (and it only was answered on Apr 29). After trying
really hard to find anyone who cares, I managed to get this bug fixed in
like 10 days." —Egor Homakov [Sakurity via NNSquad]
  http://sakurity.com/blog/2015/05/21/starbucks.html


A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin

Monty Solomon <monty@roscom.com>
Sun, 17 May 2015 09:03:22 -0400
Few people looking to buy a state-of-the-art smartphone would even think
about a Russian model, but the makers of the YotaPhone aspire to change
that.

http://www.nytimes.com/2015/05/17/world/europe/a-russian-smartphone-has-to-overcome-rivals-and-jokes-about-origin.html


Some People Do More Than Text While Driving

Monty Solomon <monty@roscom.com>
Tue, 19 May 2015 09:41:16 -0400
Texting while driving has company. Some people are also using social media
services, taking selfies, and even making videos while they are behind the
wheel.

http://bits.blogs.nytimes.com/2015/05/19/some-people-do-more-than-text-while-driving/


Re: Drug database: third-party doctrine (RISKS-28.64)

Harlan Rosenthal <Harlan.Rosenthal@verizon.net>
Sun, 17 May 2015 20:06:43 -0400
Maybe I'm too much of a programmer, but the word "voluntary" should mean
something.  Most of the information we turn over today is NOT voluntary.
You can't get a prescription without revealing it to the pharmacist; the
pharmacist can't give it to you without revealing it to the state and
insurance databases; and all of this is required by law.  The change in
accessibility over the years is a clear example of a difference of degree
becoming a difference of kind.


Re: All cars must have tracking devices (RISKS-28.63,64)

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 17 May 2015 22:45:38 +0100
If level-crossing gates block the full width of the road then there's the
risk of vehicles being trapped as they close; if they only take half of the
road then they provide a better warning than just flashing lights, but
impatient drivers can zig-zag round them.

The *REAL* fundamental problem is that trains traveling at 120mph
(~200km/hr) or more can take several minutes/miles to stop—which vehicle
drivers don't always seem to appreciate—and ensuring that a train has
time to stop if the crossing is not clear would mean halting the traffic for
quite a while, thus increasing the risk of impatient drivers attempting to
cross anyway.

As I understand it, crashes or near-misses often happen on busy roads when a
line of slow-moving or stopped vehicles backs up across a level-crossing.
So the moral is—always be sure that there's enough empty road on the
other side of the crossing for your vehicle before you drive onto it.


Re: Banned Researcher Commandeered a Plane

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 22 May 2015 21:14:56 +0200
Most publicity on this subject seems to focus on the specific hack and its
perpetrator, condemning his action.  This diverts attention away from the
much more serious underlying problem: A hacker, using simple tools and a
trivial intrusion into a network box, succeeded in breaching the isolation
between the passenger network and a highly safety critical technical network
of the aircraft.  This raises serious concerns about the overall network
design of the aircraft.

And more problems may be coming: Today, passenger and safety air/ground
communications are pretty well isolated from each other because they use
separate radio links and different technologies that do not readily mix.<br>
But one plausible future development option is a move towards integrating
everything into a single air/ground link, all using IP technology. So,
effectively, the closed aeronautical safety critical networks will come
together physically with the Internet in this link, being separated only
logically by routers, firewalls and the like. Just one compromised router
somewhere in the world could make the safety critical networks, on-board as
well as on the ground, reachable from the Internet. Physical isolation would
no longer be possible.

Please report problems with the web pages to the maintainer

Top