The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 72

Monday 22 June 2015

Contents

Polish airline LOT hacked, flights suspended for hours
Michal Rosa
8 Indicted in Identity Thefts of Patients at Montefiore Medical Center
NYT via Monty Solomon
US agency plundered by Chinese hackers made one of the dumbest security moves possible
Business Insider
Australia passes controversial anti-piracy web censorship law
Ars Technica
Reason.com hit with federal subpoena to identify online commenters
Steve Golson
"Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory"
WiReD
Michael Bacon <michaelbacon@tiscali.co.uk>
????
The Titanic and the Ark—Re: pension org phished
Michael Bacon
Re: L.A. plans potentially disastrous switch to "electronic" voting
Steve Lamont
Subject: Re: Major League Baseball cancels 60 million all-star votes
Harlan Rosenthal
RISKS-28.71
Info on RISKS (comp.risks)

Polish airline LOT hacked, flights suspended for hours notsp

"Rosa, Michal" <michal.rosa@hp.com>
Sun, 21 Jun 2015 23:01:49 +0000
A number of flights operated by the Polish national airline LOT were
grounded on Sunday, June 22 as the unknown hackers gained access to LOT's
computers.

According to the official communique the computers were attacked in a way
which made impossible to print flight plans for airliners departing from
Warsaw.  According to LOT there was no danger to any of the aircraft already
in the air, the only thing the attack prevented was creation and printing of
flight plans for regular flights departing from Warsaw.  LOT has informed
about the problem at 4pm on Sunday and the problem was apparently resolved
by 8.45 pm.  At the moment no other details are know.

http://niebezpiecznik.pl/post/komputery-lot-u-zaatakowane-samoloty-uziemione/ - link in Polish only, sorry.


8 Indicted in Identity Thefts of Patients at Montefiore Medical Center

Monty Solomon <monty@roscom.com>
Mon, 22 Jun 2015 02:10:25 -0400
A hospital employee and seven others were indicted on Friday on charges of
stealing the personal information of as many as 12,000 patients.
http://www.nytimes.com/2015/06/20/nyregion/8-indicted-in-identity-thefts-of-patients-at-montefioremedical-center.html


US agency plundered by Chinese hackers made one of the dumbest security moves possible (Re: RISKS-28.69,71)

Lauren Weinstein <lauren@vortex.com>
Sat, 20 Jun 2015 20:30:37 -0700
http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6

  Contractors in Argentina and China were given "direct access to every row
  of data in every database" when they were hired by the Office of Personnel
  Management (OPM) to manage the personnel records of more than 14 million
  federal employees, a federal consultant told ArsTechnica.

    [See also, from Monty Solomon: Undetected for nearly a year, Chinese
  intruders executed a sophisticated hack that gave them administrator
  privileges in government networks. Their ultimate target: information on
  anyone seeking a security clearance.
http://www.nytimes.com/2015/06/21/us/attack-gave-chinese-hackers-privileged-access-to-us-systems.html
    PGN]


Australia passes controversial anti-piracy web censorship law (Ars)

Lauren Weinstein <lauren@vortex.com>
Mon, 22 Jun 2015 07:29:56 -0700
Ars via NNSquad
http://arstechnica.co.uk/tech-policy/2015/06/australia-passes-controversial-anti-piracy-web-censorship-law/

  As well as being based on a false premise, the new law will also be
  ineffectual, since Australians can simply use to web proxies and VPNs to
  circumvent any blocks that are imposed. This has raised the fear that the
  courts will go on to apply the new law to VPN providers, although
  Australia's Communications Minister Malcolm Turnbull has insisted this
  won't happen. According to TorrentFreak, last week Turnbull said: "VPNs
  have a wide range of legitimate purposes, not least of which is the
  preservation of privacy--something which every citizen is entitled to
  secure for themselves--and [VPN providers] have no oversight, control or
  influence over their customers' activities."  If Turnbull sticks to that
  view, it is likely that Australians will turn increasingly to VPNs to
  nullify the new law.


Reason.com hit with federal subpoena to identify online commenters

Steve Golson <sgolson@trilobyte.com>
Sat, 20 Jun 2015 14:13:35 -0400
Reason.com, a leading libertarian website affiliated with Reason magazine,
received a federal grand jury subpoena compelling them to identify anonymous
commenters. The subpoena included a gag order so Reason.com could not talk
about it. Until now:

http://reason.com/blog/2015/06/19/government-stifles-speech
http://popehat.com/2015/06/08/department-of-justice-uses-grand-jury-subpoena-to-identify-anonymous-commenters-on-a-silk-road-post-at-reason-com/
http://popehat.com/2015/06/11/media-coverage-of-the-reason-debacle/

  But Reason.com is not the dark web. Many of our regular commenters
  voluntarily display either personal website information or their email
  addresses. In fact, three of the six commenters subject to this very
  subpoena voluntarily displayed public links to personal blogs at Blogger
  as part of their comments, one of which further links to a Google+ page.
  Raising the question: How can the government view these so-called
  "threats" as so nefarious when people posted them in such a non-anonymous
  fashion?


"Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory"

Lauren Weinstein <lauren@vortex.com>
Sat, 20 Jun 2015 16:54:40 -0700
http://www.wired.com/2015/06/facebook-real-name-policy-problems/

  "TWO WEEKS AGO, Facebook locked me out of my profile. My photos and
  friends are gone, my profile vanished without a trace.  Someone reported
  my account as pseudonymous, and Facebook kicked me out. To get back in, I
  must provide various forms of identification proving the authenticity of
  my username. I'm not going to.  I am one of many casualties of Facebook's
  recently rejiggered "authentic name" policy, wherein anonymous users can
  report a name as fake and trigger a verification process. Part of the
  motivation is stopping the proliferation of celebrity imposter accounts
  and profiles made for pets. But it's also allowed Facebook to shutter the
  accounts of real people, based on "authenticity." What does "authentic"
  mean, though?  It's both confusing and contextual, because identity itself
  is confusing and contextual."

Yet another difference with Google. When they realized that the entire "real
name" paradigm just didn't work out well for users in Google+, Google
actually learned from this and moved beyond it to an open naming model. In
contrast, Facebook just keeps repeating its own mistakes again, and again,
and again ...

  [FaRcebook with R for Repeat?  PGN]


The Titanic and the Ark

Michael Bacon <michaelbacon@tiscali.co.uk>
Sat, 20 Jun 2015 13:17:38 +0100
(was: Japanese pension organization phished ... (Macintyre RISKS- 28.67)

  "... very few employers seem interested in factoring [IT certifications]
  into their hiring process."

Over many years I have interviewed prospective employees for a variety of
roles, from screen-watchers in a SOC to top-flight consultants in 'Big Six'
practices.  A great many have adduced certificates of competency in IT and
IT/Information Security.  Few have stood my scrutiny.

I have seen candidates with CISSP after their name who had zero trade
experience; I have seen CISAs who couldn't audit their way out of a paper
bag; I have seen people with a "practitioner" certificate whose acquired
knowledge is useless in practice; and I have shown the door to those with a
plethora of Microsoft, Cisco and other manufacturer certifications who
couldn't explain what the first letter in SFTP, SSH, SHTTP meant, let alone
how it worked.

In short, I have never put much store by certificates, but a lot on
real-world, nose-to-the-grindstone, ear-to-the-ground, demonstrable
experience, ideally with a major cock-up in their past from which they have
learned major lessons.

As a consequence, I have recruited great people who were logical in thought,
thorough in approach, and tenacious in execution, and who have gone on to
have great careers.  But not one of the best I could name had any
certificate to back up the skills I hired them for.

The Ark was built by one man with no qualifications, the Titanic by people
with certificates.


Re: L.A. plans potentially disastrous switch to "electronic" voting

Steve Lamont
Sat, 20 Jun 2015 15:07:04 -0700
Here's the problem: our election system is *already* hacked and has been for
decades.  It seems perversely (and perhaps intentionally) designed to keep
all but the most fervent partisans from voting, especially in off-year
elections, where most of the mischief seems to now occur.

News archives are replete with tales of voters standing for hours in
enormously long lines, waiting for the chance to exercise their franchise.
Shortages of paper ballots are frequent.  And, now, of course, states seem
to be intent upon erecting further roadblocks to voting through voter ID
laws, which "solve" the largely non-existent problem of voter fraud.

And we wonder why voter turnout becomes progressively worse each election
and why all too often elections are decided by a few zealots, resulting in
the warped Congress and Senate currently installed in Washington, DC. (and
that includes members of *both* parties, mind you).

Now I'm not necessarily advocating electronic voting and certainly not
Internet voting, given the current state of the technology, but perhaps the
time has come for the technologists and security mavens reading this list to
go beyond mere nay-saying and skepticism and come up with verifiable,
auditable solutions that make voting as easy as, say, ordering a new gadget
from Amazon.


Re: Major League Baseball cancels 60 million all-star votes (RISKS-28.71)

Harlan Rosenthal <harlan.rosenthal@verizon.net>
Sun, 21 Jun 2015 07:13:38 -0500 (CDT)
Look on the bright side: at least the risks were made obvious and apparent
in a vote that has enough importance for people to care (and for publicity),
but less importance than a real governmental vote.

Please report problems with the web pages to the maintainer

Top