The RISKS Digest, Volume 28 Issue 89

Peter G. Neumann

The RISKS Digest
Volume 28 Issue 89

Wednesday, 19th August 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Technical problem suspends flights along east coast: PGN
Could Hackers Take Down a City?: Andrea Peterson
Hackers Say They Have Released Ashley Madison Files: NYTimes
Ashley Madison hack affects more than 33 million users: PGN
Voting risk in UK Labour Leadership Election: Paul Gittins
Wikipedia freedom-of-editing: Ken Knowlton
Intel to customers: We listen to you... All The Time!: Ariha Setalvad
Ad Blockers and the Nuisance at the Heart of the Modern Web: NYTimes
Re: Supreme Court's Free-Speech Expansion Has Far-Reaching Consequences: Henry Baker
Info on RISKS (comp.risks)

Technical problem suspends flights along east coast (Re: RISKS-28.87)

"Peter G. Neumann" <neumann@csl.sri.com>

Wed, 19 Aug 2015 13:05:07 PDT

  [Thanks to John Rushby, who notes that this upgrade is a part of ERAM
  (En Route Automation Modernization).  PGN]

The ATC problems that grounded hundreds of flights on Saturday were caused
by `a recent software upgrade' at the high-altitude radar facility in
Leesburg, Virginia, the FAA said in a statement on Monday. The upgrade,
which was installed by Lockheed Martin Corp., had a new function that
allowed controllers to set up a customized window of frequently referenced
data, the FAA said.  But as controllers used the new function, deleted
settings weren't deleted from the system memory, and the storage capacity
was overloaded.  “This consumed processing power needed for the successful
operation of the overall system,'' the FAA said.

The FAA said it has temporarily suspended the use of this function, and is
working with Lockheed on a permanent solution.  "The company is closely
examining why the issue was not identified during testing," the FAA said.

<http://www.avweb.com/avwebflash/news/ATC-Failure-Disrupts-Airline-Flights-224698-1.html>
<http://www.faa.gov/news/press_releases/news_story.cfm?newsId354>

Could Hackers Take Down a City? (Andrea Peterson)

"ACM TechNews" <technews@hq.acm.org>

Wed, 19 Aug 2015 12:44:15 -0400 (EDT)

Andrea Peterson, *The Washington Post*, 18 Aug 2015 (via ACM TechNews)

Researchers such as David Raymond, deputy director of Virginia Polytechnic
Institute and State University's IT Security Lab, warn of the possibility of
cyberattackers crippling a city because of urban centers' increasing
reliance on technology and the frail, messy connections that bind those
systems together.  "The digital pathways between all of the entities and
organizations in a city [are] often not well managed," Raymond cautions.
"In many cases, there's no overarching security architecture or even
understanding of holistically what the city looks like."  Raymond,
U.S. Military Academy at West Point professor Gregory Conti, and Drawbridge
Networks' Tom Cross presented research at this month's Black Hat USA
conference on cities' cyber-vulnerabilities.  They speculate transportation
systems are one area that may be susceptible to a targeted attack, given
they are places where otherwise well-shielded technology may converge in
ways that are not well protected, leading to a cascade effect that impacts
the entire city.  Other researchers presenting at Black Hat detailed how
security vulnerabilities involving Ethernet switches could be exploited to
cause a nuclear plant shutdown.  Conti also notes cities concerned about
hacking vulnerabilities often have difficulty drawing the right specialists
and secure resources to offer a long-term solution.  Cross argues cities
should use the same types of risk management tactics they apply to
traditional attacks to the digital domain.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-dfe2x2d26bx062548&

Hackers Say They Have Released Ashley Madison Files

Monty Solomon <monty@roscom.com>

Wed, 19 Aug 2015 01:11:40 -0400

http://bits.blogs.nytimes.com/2015/08/18/hackers-say-they-have-released-ashley-madison-files/

Hackers said last month that they had breached the computer network of the
adult dating site and stole passwords, email addresses and transaction
information.

Ashley Madison hack affects more than 33 million users

"Peter G. Neumann" <neumann@csl.sri.com>

Wed, 19 Aug 2015 15:15:12 PDT

Michael Miller, *The Washington Post*, 19 Aug 2015
Up to 40 million members of infidelities-R-us Web site compromised?
http://www.washingtonpost.com/news/morning-mix/wp/2015/08/19/dont-gloat-about-the-ashley-madison-leak-its-about-way-more-than-infidelity/?hpid=z8

Personal info of some 33 million users are now available for download.
15,000 people with U.S, .mil/.gov addresses, 133 UK folks with links to
   gov/local authorities.
http://www.wired.co.uk/news/archive/2015-08/19/ashley-madison-have-i-been-hacked
Welcome to the first day of the rest of your Internet!
35M e-addresses, 33M accounts, including every credit-card transaction from
  the last seven years.
http://www.theawl.com/2015/08/notes-on-the-ashley-madison-hack

Lots more.  This is REALLY UGLY.

,.. seamy, see-me squirming, unseemly, ...

Voting risk in UK Labour Leadership Election

Paul Gittins <paul.gittins@gmail.com>

Wed, 19 Aug 2015 20:43:02 +0100

A family member received their online vote for the UK Labour leadership
election - the party in opposition electing a new leader after they lost in
May 2015.

Politics aside, I was concerned by their approach to security and the
risks. As the opposition party there are no fundamental constitutional
issues, but poor practice, especially as it was run by a 3rd party
(Electoral Reform Services Ltd)

There seems little point in putting in place 2 part security" when they send
both parts in the same email... Also of note—if you have technical issues
you are supposed to send them part one of the code as part of the report --
a minor issue but still poor security.

The email read:

Dear ZZZZ,

You can now vote for the next Leader and Deputy Leader of the Labour Party.

You can vote online and your vote must be received by 12 noon on Thursday
10 September to count.

To vote, go to http://www.labour.org.uk/ballot2015 and enter the following
two-part security code to confirm your identity:

Security Code Part One: <redacted, all 8 digits>
Security Code Part Two: <redacted, 4 letters>

Once you have entered your security code, the website will give clear
instructions on how to cast your vote. It takes just a few moments to cast
your vote online, and you can do so at any time until the ballot closes at
12 noon on Thursday 10 September.

Wikipedia freedom-of-editing

Ken Knowlton <kcknowlton@aol.com>

Tue, 18 Aug 2015 18:10:12 -0400

Re: Wikipedia's loose control: 'LaurensRS' posted on "my" Ken Knowlton
Wikipedia site a rant so crude that I think it's actually amusing.  But,
because I'm still a living person (14 years into my 70's), it was removed
after three weeks of glory there.  It is, however, still available in Wiki's
edit history:

http://en.wikipedia.org/w/index.php?title=Ken_Knowlton&diffa6405285&oldida3415154

  [Ken, Does this imply that, similar to known cases of dead people having
  had votes cast in their names for years after their deaths, the deceased
  should actually be able to request false wikipages be removed?  PGN]

Intel to customers: We listen to you... All The Time! (Ariha Setalvad)

Henry Baker <hbaker1@pipeline.com>

Wed, 19 Aug 2015 07:31:46 -0700

FYI—The insane idiocy of this "feature" has left me speechless...

Is that an Intel in your pocket, or are you just happy to hear me?

Obviously, Intel wants to cozy up to the NSA/FBI/GCHQ even more than AT&T.

Of course, (many?) previous Intel processors already have this feature, and
Skylake is just the first one that has been publicly acknowledged.

"Intel said voice activation was technically possible with last year's
Core M chips."

Nice knowing you, Intel!

https://www.theverge.com/2015/8/18/9174887/microsoft-cortana-intel-voice-activation

Intel's new processors let you wake your computer with your voice

Ariha Setalvad, 18 Aug 2015

Intel's newest Skylake processors have a slightly [why only slightly?]
creepy new feature—they're always listening to you.  Shout "hey Cortana"
or "Cortana, wake up" at a Windows 10 machine with one of the new chips, and
your voice will be picked up by a digital signal processor secreted inside
the chip that will rouse your PC from its low power state.  Once it wakes
up, Cortana takes over and you can use all the standard voice commands,
including telling the digital assistant to play music or videos.

The company announced the new feature at its Intel Developer Forum in San
Francisco today.  A similar option also appeared on Microsoft's Xbox One and
Motorola's Moto X smartphone, but as with those devices, after the novelty
wears off, you might find it easier to simply turn on your machine in the
normal way instead of yelling at it from across the room.  Intel didn't
mention how much power the always-listening mode will drain or how much it
will affect the standby power, nor whether users would need any extra
hardware in order to boss their computer around with words.  Although Intel
said voice activation was technically possible with last year's Core M
chips, it's only now with Windows 10 and its Cortana integration that PCs
can take advantage of the feature.

Ad Blockers and the Nuisance at the Heart of the Modern Web